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Abstract 

We study a typing scheme derived from a semantic situation where a single 
category possesses several closed structures, corresponding to different vari- 
eties of function type. In this scheme typing contexts are trees built from two 
(or more) binary combining operations, or in short, bunches. Bunched typing 
and its logical counterpart, bunched implications, have arisen in joint work of 
the author and David Pym. The present paper gives a basic account of the 
type system, and then focusses on concrete models that illustrate how it may 
be understood in terms of resource access and sharing. 

The most basic system has two context-combining operations, and the 
structural rules of Weakening and Contraction are allowed for one but not 
the other. This system includes a multiplicative, or substructural, function 
type -* alongside the usual (additive) function type — >; it is dubbed the 
aA-calculus after its binders, a for the additive binder and A for the multi- 
plicative, or Ainear, binder. We show that the features of this system are, 
in a sense, complementary to calculi based on linear logic; it is incompati- 
ble with an interpretation where a multiplicative function uses its argument 
once, but perfectly compatible with a reading based on sharing of resources. 
This sharing interpretation is derived from syntactic control of interference, 
a type-theoretic method of controlling sharing of storage, and we show how 
bunch-based management of Contraction can be used to provide a more flex- 
ible type system for interference control. 

1 Introduction 

In most type systems the context T in a typing judgement F h M : B is represented 
as a function from variables to types, or as a set or sequence of associations x : A 
pairing identifiers with types. In this paper we study bunched typing, where the 
contexts are trees built from two or more combining operations. So, for example, 
we will have combining operations and ";" which allow us to form contexts T, A 
and V; A, and we will be able to nest "," and ";" as in 
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The most promising possibility offered by bunched typing is that it gives us a 
flexible way to mix together calculi that treat the structural rules of Contraction, 
Weakening and Exchange in different ways; it is entirely possible to arrange matters 
so that one of the combining forms admits a structural rule when the other does not. 
Interest in such substructural type systems has arisen mainly as a result of work on 
linear logic, which has provided a novel way of understanding the structural rules in 
terms of duplication and consumption of data. We will show that bunched typing 
offers a different perspective, with (perhaps) surprising consequences. We show 
that the language we develop is even incompatible with a number-of-uses reading 
(which is characteristic of linear typing). We will argue, instead, that it should be 
understood in terms of sharing, rather than duplication: figuratively speaking, the 
bunch-based approach to structural rules is about who has access to what, rather 
than the number of times a piece of data is used. 

Many variants on bunched typing are possible: the general case is to have a 
number of combining operations, each of which admits some combination of the 
structural rules, and perhaps with some interaction between the different forms 
of combination. The more pressing question, however, is why one might consider 
bunched typing at all, rather than what the general situation is. So, we will con- 
centrate for the most part on a basic variant, which has two forms of combination, 
where ";" admits all of the structural rules and "," admits Exchange only. There is 
no interaction between the two forms of combination. We obtain a calculus which 
combines simply-typed A-calculus and a basic (multiplicative) linear A-calculus: it 
is dubbed the aA-calculus after its binders, a for the additive binder and A for the 
multiplicative, or Aincar, binder. 

Bunched typing may be understood from several theoretical viewpoints - proof 
theoretic, category theoretic, and semantic - and also from a specific application; 
sharing of storage in imperative programs. These sources serve to reinforce one 
another, and in next section we give an informal and leisurely survey of the per- 
spectives offered by them. Readers who prefer a less leisurely approach can skip 
forward directly to the synopsis in Section 2.5. 

Bunched typing and its Curry- Howard cousin, the logic BI of bunched implica- 
tions, have been developed as part of joint work with David Pym; BI was intro- 
duced in a short paper by the two of us in 1999 [31]. The present paper gives a 
more detailed account of the type system, explaining how is arises, and various of 
its properties, from a particular point of view based on a "sharing interpretation" 
of connectives. This interpretation is suggested by Reynolds's Syntactic Control of 
Interference [43], one of the main precursors of this work. Pym separately gives a 
more foundational treatment of both the type system and the logic [38] . 

Some of the material in this paper was presented, in preliminary form, in the 
the 1999 TLCA conference [26]. 



2 Routes to Bunched Typing 

2.1 Sharing and Contraction 

The work reported in this paper arose originally from a failed attempt to reconcile 
two substructural type systems, systems where the structural rule of Contraction is 
restricted: 

T,x : A,y : A h M : C 



T,z : Ah M[z/x,z/y] : C 



Contraction. 



The background is that in 1978 Reynolds proposed syntactic control of interfer- 
ence (or, SCI), a type theoretic method of controlling aliasing and other shared vari- 
able interference in imperative programs [43]. In contemporary terminology, what 



2 



Reynolds used was an affine A-calculus, where Contraction is absent and where the 
typing rule for function application requires that a procedure and its argument have 
disjoint free identifiers: 

T\- M : B A h TV : A 
T.AhMN-.B 

To understand how SCI works, it is crucial to draw a distinction between the 
notion of a variable, or identifier, and that of a storage cell or location that it might 
denote. The central statement of imperative programming is the assignment x := e, 
which overwrites the contents of a cell denoted by x. For example, a sequence of 
assignment statements x :— l;y :— 2 sets (the cell denoted by) a; to 1 and y to 2 if 
they denote different cells. 

x y 
1 | 2 

But if x and y are aliased, which is to say denote the same cell, then the assignment 
to y in x := 1; y := 2 destroys the value placed in the cell previously by assignment 
to x. 

x y 

2 

To connect this discussion back to Contraction and function types, note that in 

((Xx\y . ■ ■ ■ x := 1; y := 2 )z)z 

if z denotes a cell, then that same cell will be passed to both x and y, resulting 
in aliasing. To enable this passing of the same cell to both y and z we have to 
have Contraction, cither explicitly or as an admissible rule, in order to get two 
occurrences of z in an application (Mz)z. From this we can see that banishing 
Contraction abolishes aliasing, a basic example of sharing, at least in this example. 

Meanwhile, in 1987 Girard introduced linear logic (or, LL), a logic that controls 
Contraction [16]. When its logical rules are used to type A-terms, linear logic is 
evidently related to syntactic control. The typing rule for applying a linear function 
is 

r h M : A-o B Ah N :A 
r, A h MN : B 

and there is no Contraction (or Weakening). Furthermore, in SCI the rule of Con- 
traction is not abolished altogether, but is allowed under restricted circumstances, 
for certain types that are labelled passive, and in linear typing Contraction is rein- 
troduced under the control of a modality, "!" . 

Thus, there is a tantalyzing formal similarity between SCI and linear logic. But 
there is also a crucial conceptual difference: the reading of types, and resulting 
rationale for controlling contraction, is different in each case. 

In SCI, the operative concept is sharing. This can be seen most clearly in the 
reading of the function type. 

A -* B: functions that don't share storage with their arguments. 

Under this reading Contraction is understood as allowing shared access to storage. 
So limiting Contraction gives control over sharing. 

In contrast, in LL the operative concepts are the number of uses of a datum, 
and consumption. 

A—o B: functions that use their arguments exactly once. 
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The intuitive connection with consumption is that if a function uses its argument 
once, then it may never do so again; so one thinks of a linear function as consuming 
its argument. Under this reading Contraction is understood as duplicating a piece 
of data, rather than sharing. So limiting Contraction gives control over the number 
of times a piece of data can be used. 

This conceptual discrepancy between LL and SCI was clear to the author in 1990 
[27, 28, 29], but there was a central question left unresolved then: is the difference 
merely one of having two semantic interpretations of the same system (say, LL), or 
is a separate formal structure appropriate to each? Stated another way, does the 
distinction between copying and sharing have type theoretic significance, or is this 
just a case of having two models, where the same type theory is appropriate for 
both? 

A hint of a possible way forward was contained in a curious property of models 
that had been found for SCI in the early 1990s [27, 29, 32], stated as follows in [30]. 

"The semantic model presented here possesses two kinds of exponen- 
tial, one for the monoidal closed structure, and another, adjoint to x 
for cartesian closed structure. This raises the question of whether in- 
terference control and uncontrolled Algol can coexist harmoniously in 
one system . . . An interesting point to note is that here the two kinds 
of closed structure coexist in the same category, so there is no need to 
pass to a separate category, such as a Kleisli category, to interpret the 
intuitionistic (i.e., Algol's) function type." 

Given the natural structure that exists in the models, we are lead to ask: what is 
a typed A-calculus corresponding to a category that admits two closed structures? 
This question leads us to bunched typing. 

2.2 From Doubly-Closed Categories to Bunches 

To see how bunches arise categorically, consider that an introduction rule for a 
function type typically corresponds to an adjunction. That is, a typing rule 

T,x : AY- M : B 
TV- Xx.M : A=> B 

corresponds to an isomorphism of maps of the corresponding shape in a closed 
category 

T®A — > B 
T — ► (A => B) ' 

Now, suppose that we have a doubly closed category, i.e., a single category 
equipped with two monoidal closed structures instead of only one: 

L A A — > B V * A — > B 

T — > (A -> B) T — > (A -* B) 

To match this situation, we extend the syntax of typing contexts with an additional 
combining operation, semi-colon, which allows us to formulate introduction rules 
corresponding to the two adjunctions: 

T;x:A\-M:B F,x: AY- M : B 

TV- olx.M : A-> B TV- Xx.M : A^ B ' 

This leads directly to the use of tree-like structures, or bunches, for typing contexts. 

We will consider several variants. In each, ";" will admits structural rules of 
Weakening, Contraction, and Exchange and so — > will behave like the function type 
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in simply-typed A-calculus or the implication in intuitionistic logic. The variants 
will arise by disallowing some of the structural rules for In the basic case 

we consider "," will have Exchange, but not Weakening or Contraction, and this 
corresponds to the situation where * is the tensor product of a symmetric monoidal 
structure. 

Even at this preliminary stage, the categorical perspective allows us to crisply 
state the formal difference between bunch-based control over structurals and that 
obtained from linear logic, or linear typing. In models of linear logic two closed 
categories are involved, where one is often presented as a Klcisli category [48, 5, 
4, 2]. For instance, in the original coherence space model there are indeed two 
function types, but — o is closed structure in the category of linear maps, while the 
additive — », which can be represented as \A^> B, is closed for the category of stable 
maps. This does not provide a model of bunched typing, because in a doubly closed 
category we ask that the two closed structures reside in one and the same category. 

Although theoretically clear, this categorical derivation of bunched structure 
is purely formal and does not, by itself, tell us much about the character of the 
resulting calculus; the view presented by categorical models is very abstract. More 
concretely, we have function types A^* B and A^> B, and we should ask: for what 
kinds of functions? 

2.3 The Sharing Interpretation 

The key to understanding the aA-calculus is what we call the sharing interpretation. 
The background idea is of functional programming data such as functions, pairs, etc, 
but with an additional, intensional, notion of resources that computational entities 
are allowed to access. By resource we mean physical resources in a computer system, 
such as files, storage, or external devices. The reading of function types is as follows. 

A -* B: functions that have access to disjoint resources from their arguments. 

A ^ B: functions that have access to the same resources as their arguments. 

Of course, the reading for -* is just the one mentioned above for SCI. The crucial 
point is that this can happily coexist with a direct reading of the additive function 
type. 

Now, the bare statement of the interpretation is so direct that, at first glance, 
it may seem as if it must amount to the same thing as resource interpretations for 
other systems that control the structural rules. For, if we think of a context, roughly, 
as corresponding to a collection of resources, then the use of separate contexts in 
the elimination rule for the multiplicative function type -* directly expresses the 
disjointncss mentioned in the informal interpretation, and the use of a common 
context in a rule for the additive corresponds to the sameness. 

T\- M : A^ B Ah N : A T h M : A -> B T \- N : A 
r, A h MN : B r h M@N : B 

However, there is an important point to notice: the reading places no constraint 
on how many times a -* -typed function uses its argument, it just cannot use 
arguments that share access to common resources. In fact, in Section 3.2 we will 
see a derivation of a multiplicative function that is compatible with the sharing 
reading, but that uses its argument twice. 

Variations on the sharing interpretation are possible. For example, in a non- 
commutative situation there arc two multiplicative function types, and the inter- 
pretation works by introducing dependency between procedure and argument. 

A»- B: functions that may depend on resources of their arguments (but not 
vice versa). 
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A-9 B: functions where the argument may depend on resources accessed by 
the function (but not vice versa). 

This notion of dependency is intended to be spatial in nature. For example, "de- 
pendency" could mean that a pointer can go from the area of the store referenced 
by one datum to an area of store referenced by another. 



2.4 Bunches in Proof Theory 

The discussion so far has charted a latter-day route to bunches, emphasizing an 
interplay between categorical properties and resource interpretations. Historically, 
bunches first arose in the 1970s for completely different reasons, as a result of a 
problem in the proof theory of relevant logics [13]. Since then, bunches have been a 
standard device used by relcvantists'; e.g., [3, 39, 47]. (I am grateful to David Pym 
for making me aware of the relevant work.) Other uses of bunched contexts include 
the mixed linear logic of Ruet and Fages [46] , and the dependent linear type theory 
of Ishtiaq and Pym [21]. 

The most famous property of relevant logics is their denial of Weakening 



T T ^' C Weakening. 



This denial is done in a bid to ensure that the premisses used in a proof are actually 
relevant to the conclusion. The problem is that, if one simply removes Weakening 
from standard sequent calculi, say for intuitionistic or classical logic, then some 
other, intuitively reasonable, laws are blocked as well. Principal among these is the 
law of distribution 

AA(BW C)h (AAB)W (AAC). 
A standard sequent calculus proof uses Weakening in the top steps: 

A\- A BV-B AY- A C ' h C 

A, BY- A A,B \- B A,CY-A A,CY-C 

A,BY- AAB A,CY-(AAC) 



A, B h (A A B) V {A A C) A, C h {A A B) V (A A C) 
A, (B V C) V- (A A B) V (A A C) 



AA{BV C)l- {AAB)V (AAC). 

And there is no other proof of distribution, if Weakening is simply omitted from 
sequent calculi. 

The most important relevant logics accept distribution for semantic reasons: if 
one reads A as "and" and V as "or", then distribution must follow. To address 
the proof-theoretic problem, of how to get distribution while restricting Weakening, 
novel sequent calculi were formulated by Dunn and Mine (see [13]). In the notation 
of the present paper, the ";" form of combination admits 



A(r) h c 
A ( r ; r')hc Weakcnin s 



where Weakening for ";" can occur anywhere in a bunch. Then, the rules for V and 
A mention ";" but not and the proof just given for distribution goes through 
simply by replacing "," with ";" . 

The flexibility of the bunch-based approach to the structural rules comes about 
from using one form of combination to describe rules for one collection of connec- 
tives, and the other combination for different connectives. Thus, proof theoretically 
the relevantists' were able to cater for the different requirements of extensional, or 
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additive, connectives such as A and V, and intensional, or multiplicative, connec- 
tives such as fusion and relevant implication. For example, the right rules for the 
two conjunctions are 

r h A A h B r h A A h B 
T; A \- A f\ B T,A\- A* B 

Although these rules are identical in form, the prohibition of Weakening for "," 
means that they have significantly different ramifications. 

The categorical derivation of bunched structure we described earlier comple- 
ments the prior discovery of the relevantists', but also provides a more theoretically 
cohesive rationale for it. Whereas bunches can be used to deal with technical prob- 
lems (such as distribution), they are in a sense semantically inevitable from the 
point of view of doubly closed categories. 

2.5 Synopsis 

In the next section we present a pared down form of bunched typing, where the only 
type constructors are for function types. This function-only fragment is simple, but 
also displays the most important and unusual consequences of the approach. We 
make a comparison with linear typing, using a number of examples. 

In Section 4 we do some basic work, verifying preservation of typing under 
substitution and reduction. We also spell out the interpretation of the system in 
its categorical models. 

We have discussed the sharing interpretation above, and we will use it to provide 
intuitive justification for some of the examples treated in Section 3.2. But the 
interpretation is stated informally, and it is important to know that it is consistent 
with bunched structure and doubly closed categories. We tackle this issue in Section 
5 by presenting several models, whose description reflects the informal interpretation 
closely, while at the same time exhibiting doubly closed structure. 

The central technique for linking the formal properties of bunched typing to 
sharing is the spatial approach to possible world semantics [44, 29, 30, 33]. In 
this approach, a world is viewed as corresponding to an area of memory (or, more 
generally, to resource), and the semantics of types and terms is parameterized by 
worlds. A semantic expression describing the meaning of any given term will have 
several occurrences of possible world parameters within it. The spatial intuition 
captured by this form of semantics is that when two subexpressions of a semantic 
expression mention different worlds, the subexpressions refer to separate areas of 
storage, and consequently don't interfere. The models in Section 5 are stripped- 
down versions of spatial possible world models. 

After describing further properties of the categorical models in Section 6, we 
move on in Sections 7-10 to SCI. We show how the affine variant of the calculus 
(which admits Weakening but not Contraction for ",") can be used to resolve prob- 
lems with jumps and recursion in the original SCI. We use bunches to provide a 
flexible form of interference control, where sharing constraints can be switched on 
and off as one moves from more local to more global contexts. 

To proceed with a minimum of distraction, in presenting this work we will avoid 
detailed questions about the relation between syntax and semantics, questions con- 
cerning coherence, completeness, and the like. We want to use the semantics mainly 
as a means to expose surprising or interesting properties of the system. On one level 
this seems fair enough, as the calculus is very close to the models, being derived 
from them. But a thorough analysis is crucial; this is provided in Pym's monograph 
[38]. In any case, the presentation here will be self contained, and is largely comple- 
mentary to that given in [38], to which we refer for material on completeness and 
coherence properties of the semantics. 
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3 Bunched Typing 



3.1 The Basic System 

The basic system is motivated by models as follows. 

Definition 1 A cartesian doubly closed category, or cartesian dec in short, is 
a category equipped with two symmetric monoidal closed structures (I, *, -* ) and 
(1,A,— >), where 1,A is cartesian. 

We assume an unspecified collection of primitive types. 



Types 

A ::= p primitive types 

A -* A multiplicative function type 

A ^ A additive function type 

Bunches 



x : A 


identifier assumption 


I 


multiplicative unit 


r,r 


multiplicative combination 


i 


additive unit 


r ; r 


additive combination 



Bunches are subject to the restriction that no identifier may occur twice in the tree. 
This restriction determines implicit side conditions on some of the rules below. We 
write r(A) to indicate a bunch in which A appears as a subtree, and T(A') for the 
similar tree where A' replaces A. To describe Contraction below, we use i(T) to 
denote the list of identifiers encountered one after the other in an inordcr traversal 
of the tree I\ T = A indicates that T and A are isomorphic as trees; i.e., one can 
be obtained from the other by a suitable renaming of identifiers. 

We won't try to come up with a more compact representation of bunches using, 
say, sets or sequences instead of binary operators: The real point of bunches is to 
let us get the a- and A-abstractions right. We use an equivalence on trees instead 
of worrying about representation. 

Coherent Equivalence: T = V. 

= is the smallest equivalence relation on bunches satisfying 

1 Commutative monoid equations for 1 and ; 

2 Commutative monoid equations for / and , 

3 Congruence: if A = A' then T(A) = T(A') 

Note that ";" and "," do not distribute over one another. 



Typing Judgements 
These arc of the form 

r h M : A 

where the terms M are defined in the following rules. 



Identity and Structure 



r h M : A , , * -pN 

id a i— a //" . a = ( whcrc a = r) 



x : A\- x : A A\- M : A 

r(A) \- M : A r(A; A') \- M : A 

W TVA . . ' r .; A . , C (where A S A') 



T(A; A') h M : A T(A) h M[i(A) /i(A')] : A 
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Functions 

T;x:A\-M:B T V- M : A -> B A h N : A 

TV- ax.M : A-> B ^ T;Ah M@N : B 



E 



T,x : A h M : B rh M : A^ B AY- N : A 

TV- Xx.M : A^ B ^ r, A h MN : B ~* 

In the C rule we are using a multi-nary form of substitution, where M[i(A) /i(A')\ 
is M with each identifier in the list i(A') replaced by the identifier with the same 
list index in z(A). 

The rules for -* and — > are identical in form, but the connectives behave dif- 
ferently because of the structural properties of "," and For example, a rule for 
additive function application that shares contexts 

T\- M :A^B fh N : A 
T h M@N : B 

is derivable using Contraction (see Section 3.4 for further discussion of this). The 
corresponding rule for -* is not derivable. 

So see how these rules are working, as a warming up example notice that, given 
a judgement x : A h x : A, we cannot immediately use an introduction rule to type 
an identity function of type A -* A or A — > A. To apply an introduction rule for a 
function type we must have a context of the form r, x : A or T; x : A. So we need 
to use coherent equivalence first. 



x : AY- x : A x : AV- x : A 



l;x : A h x : A I, x : A h x : A 



lhra.i:4->4 IV- Xx.x : A^ A 

As a second example, using coherent equivalence we can also mimic the isomor- 
phisms 

— B] £* [A, B] £* [I,A^ B] 

of horn sets in a dec. 

x:AV-M:B x: AY- M : B 



\\x : AY- M : B I,x : AY- M : B 



IV- ax.M : A^ B IV- Xx.M : A^ B 



IV- M : A ^ B x : AY-x: A IV- M :A^ B x : AY- x : A 
1; x : A V- M@x : B " I,x : AY- Mx : B 

x: AV- M@x : B x : AY- Mx : B 

These derivations may make the difference between -* and — > appear rather thin, 
but they only show that closed terms in different contexts of one function type are 
convertible to the other. Furthermore, in a\ the putative judgements A -* B h ? : 
A — > B and A^BV-?: A^B arc not inhabited by any terms. We confirm this 
in Section 6.2, where we give a model (Example 13) in which there are no maps 
between A -* B and A — > B. 

To see that Weakening for "," is not admissible in the calculus, simply note that 
x : A V- x : A is derivable but x : A, y : B V- x : A is not. To see that Contraction 
for "," is not admissible, note that (/ : A -* B; x : A), (/' : A -* B; x' : A) h fx' : B 
is derivable, while / : A^ B;x : A h fx : B is not. We will confirm the non- 
admissibility of these rules by appealing to a semantic model in Remark 9 in Section 
5.1. 
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3.2 Unusual Examples, and Comparison to Linear Typing 



The aA-calculus allows for multiplicative functions that use their arguments many 
times. For example, in the following, a variable abstracted using A, the multiplica- 
tive abstraction, appears multiple times in the body of the term. 



x; f h f@x :A^B x; f h x : A 

x : A; f : A —> A —> B \- (f@x)@x : B ' ~* 
x:A\-af. (f@x)@x : ((A ^ A B) ^ B) 
I,x:A\-af. (f@x)@x : {{A ^ A ^ B) ^ B) = 
IV- Xx.af. (f@x)@x : A^ ((A ^ A^ B) ^ B) ~* 7 

Here, in the key, top-pictured, step we use the admissible rule for — > elimination 
(or equivalcntly we use — > E followed by Contraction, with suitable renaming of 
premises). 

This term seems wrong if one thinks of a number-of-uses reading. But it is 
justified by the sharing interpretation. To see why, consider that the subterm 
f@x is of type A — > B. According to the sharing interpretation, it is allowed to 
share with its argument, in this case x, which is why (f@x)@x is reasonable. The 
sharing interpretation would not support an application (fx)x where / had type 
A^¥ A^f B. (It is important to realize that this term really is "using" x twice. 
Suppose that A is in fact a function type: if / is a function that accepts two 
functions, and applies them to different arguments, then (f@x)@x would use x in 
two different ways.) 

Similarly, we can have a multiplicative function that doesn't use its argument 
at all. 

y.BY-y.B 
x : A;y : B h y : B 
x : AV- (ay .y) : B — > B 
I,x:Ah(ay.y):B^B = 
I\-Xx.{ay.y) : A^ (B -► B) "* 

It is instructive to compare with the corresponding types in linear type theory. 
For the first example, the type would be A^> l(\A^ \A^> B)—o B . In trying to 
derive a term we could A-abstract on x : A and function parameter /. But then, to 
apply (the dereliction of) / to x, we would need to convert x to something of type 
\A, and we cannot do a conversion from A to \A in general. Similarly, for the type 
A— o \B^ B we can abstract on x : A and y : IB, but we cannot throw x away. 

What is happening here can perhaps be seen more clearly by reference to Barber 
and Plotkin's DILL system [2], which is a particular formulation of linear typing, 
that admits a direct description of — ». In Barber and Plotkin's setup, ";" is used as 
a marker, between intuitionistic and linear zones, and judgements are of the form 
r; A h M : A. Here, intuitionistic zone T and linear zone A are simply lists or sets, 
and the operative rules are 
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DILL Typing 



„ -. — , 7 Id — Int „ -r-. r Id — Lin 

T,x : A; _ h x : A T;x : A\- x : A 

T,x : A; Ah M : B T; A \- M : A ^ B T; _h N : A 



T; A \- ax . M : A —> B T; A h M@N : B 



E 



T; A,x : A\- M : B T;A\-M:A-oB T; A' \- N : A 

T;A\-\x.M: A^o B ~^ 1 r ; A, A' h M N : B ~° 

For the first of our unusual examples, the main point in DILL is that the linear zone 
has to be empty in the argument of an additive application M@N. The reason, 
then, that Xx . af . (f@x)@x is not typable in DILL is that x would have to be in 
the linear zone, as it is abstracted using A, so the elimination rule for — > could not 
be used. For the second example, in DILL the linear zone must be empty when we 
introduce an identifier from the intuitionistic zone. As a result, Xx . (ay. y) is not 
typable, because x would have to be in the linear zone when y is introduced in the 
body. 

We have given terms for certain judgements in aX that are not inhabited in 
linear A-calculi. Next, we give a judgement type that is inhabited in linear type 
systems, and which is not in aX. 

In linear logic — o is convertible to — >: we always have A-oB \-\A—oB, using 
dereliction. In DILL we can represent this with the judgement 

_; / : A-o B h ax. fx : A -> B 

We use an empty intuitionistic context for comparison here, as to use the intuition- 
istic zone would be tantamount to inserting an additional "!". We remarked above 
that -* is not convertible to — > under bunched typing, but it is useful to see why 
this is so. If we try to derive the corresponding judgement in aX we get stuck: 

111 

f : A-* B;x : A\- fx : A —> B 
f : A -* B h ax. fx : A^ B ^ 1 

The 111 here canot be filled in, because under bunched typing / and x would have 
to be separated using "," in order to use the -* E rule to apply the multiplicative 
function /. That there is no term inhabiting a judgement of this form will be 
verified in Section 6.2, again by exhibiting a model where there are no maps of the 
appropriate shape. 

The discussion in this section shows that, in terms of inhabitation, aX and lin- 
ear type systems are incomparable extensions of multiplicative and simply-typed 
A-calculi. Stated logically, intuitionistic linear logic (with "!") and BI are incompa- 
rable extensions of multiplicative intuitionistic linear logic and intuitionistic logic. 
More importantly, each system has a conceptual justification for the point of view it 
takes on these judgements where they differ. For linear typing, this is provided by 
the number-of-uses reading, and also by the linear type structure of domain theory. 
For bunched typing, this rationale is provided by the sharing interpretation. 



3.3 Variants and Extensions 

Many variants of the basic system are possible; the general case is to have a number 
of closed structures on a given category. There is no theoretical reason to stop at 
two, and neither is there a technical reason why one of these structures should be 
cartesian. But the main reason why bunches are interesting is that they give a 
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particularly simple way to combine a substructural system, which on its own would 
be rather inexpressive, with a system of full strength additive connectives. By "full 
strength" we mean a function type or implication that is adjoint to a cartesian 
product or conjunction. 

We briefly mention two of the variants, one where the substructural fragment 
is affine, and another that includes a non-commutative fragment. We also describe 
rules for products. 

Adding Products. We have considered the function-only fragment. The rules for 
products, which internalize "," and are as follows. 



T^M:A A\- N : B AT T h M : A 1 A A 2 

T;A^(M lN ):AAB Al TT^MTA, hE 1 18 1 ° r 2) 

T\-M:A AhN:B T(x : A,y : B) h N : C A\- M : A* B 

r,Ah M * N : A* B T(A) h let (x, y) = M in N : C 

The full system of BI also contains units for these products, and coproducts [31]. 
See [38] for the corresponding term calculus rules. 

The Affine Variant. The affine variant arises semantically by demanding that 
the units 7 and 1 be isomorphic. The models are affine dec's, which are cartesian 
dec's where I is terminal. 

The affine variant extends the basic calculus as follows. 

Affine Coherent Equivalence adds 

4 7=1 
to Coherent Equivalence. 

Convertibility of "," to ";" 

r(A; A') h M : A 
r(A, A') \- M : A C ° nV 

Weakening for "," is derivable in the affine variant. 

T(A) h M : A 



r(A, A') h M : A 



w, 



A — > B and A^ B are not convertible to one another in the basic aX, but in 
the affine variant we can go from the former to the latter. 



f:A^B\-f:A^B J : A\- x> : A w 

f:A^B,x:Ahf:A^B 1 f':A—>B,x':A\-x':A ' 

■/;.,: .1. :(/': .1 ■//.,■' li " E 

f : A ^> B,x : A\- f@x : B C 

-* I 



f:A^B\- Xx.f@x :A^B 



An intuitive explanation of this conversion can be given in terms of syntactic control 
of interference (see Section 8.2). If / is a function that can be applied to any 
argument, then we can also use it in a context where it is only applied to arguments 
with which it doesn't interfere. 
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A Non- commutative Variant. The non-commutative variant we consider com- 
bines non-commutative, commutative, and intuitionistic fragments. A model is a 
single category with: a monoidal biclosed structure; a symmetric monoidal closed 
structure; a cartesian closed structure. (We decline to formulate an acronym.) The 
biclosed part means that we have two function types •- and -• satisfying the 
isomorphisms 

[B,A*-C] S [A»B,C] S [A,B-»C\. 

where • is the product of a (not necessarily symmetric) monoidal structure. 

Syntactically, the bunches from the basic system are augmented by adding a 
new unit and combination: 



r ::= : previous clauses 

J non-commutative unit 

r • r non-commutative combination 

where for coherent equivalence we require 

4 Monoid equations for J and •. 

Notice that there is no commutativity. We can then add rules for the left-leaning 
and right-leaning function types. 

x:A»T\-M:B T T h M : A*- B A h N : A 



rh A._ x.M : A»- B A • T h MN : B 

r • x : A h M : B T T \- M : A-m B A\- N : A 



rh A_. x.M : A-» B r • A h MN : B 

(We will not attempt to syntactically disambiguate the various forms of application.) 

The way that this system mixes its three fragments is different from Polakow 
and Pfenning's [37] three-zone, non-commutative variant of DILL, similarly to how 
DILL and a\ arc different, as discussed above. It appears that models of their 
system can be given using three categories, with appropriate mappings between 
them, just as DILL arises from models based on a pair of categories. 

The relationship to the system of Ruet and Fages [46] (also, [41, 40]) is less 
obvious. Their system uses bunches to combine two multiplicative fragments: the 
non-commutative and the commutative. However, it does not use bunches to treat 
the additives, instead relying on a modality as in linear logic. Also, their multiplica- 
tives are classical, in that there is a (dualizing) multiplicative negation. It appears 
that their system can be modelled using two categories, one a ccc and the other 
a category possessing simultaneously a monoidal biclosed structure and a (sepa- 
rate) symmetric monoidal closed structure, and a dualizing object (with additional 
properties) . 



3.4 Explicit versus Implicit Structural Rules 

One might have expected a different formulation of a A, where the rules of Weakening 
and Contraction are removed, and the rules Id and — > E are replaced with 

T , ., T \- M : A —> B T \- N : A „ . , 
Id, revised =-; — , , r — =: > E, revised 



T;x:Ahx:A 7 T h M@N : B 

These rules are derivable in the basic system. The revised rule for identifiers fol- 
lows from Id, using Weakening for ";" . And the revised rule for additive function 
application follows from — > E and Contraction. 
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Let us call this the implicit system. The simply-typed A-calculus is usually pre- 
sented in this implicit fashion, where Weakening is implicit in the rule for identifiers, 
and Contraction is implicit in the elimination rule for functions. This implicit ap- 
proach does not work correctly in a A, owing to interactions between multiplicatives 
and additives. 

To see the problem, consider the judgement 

(f : A-* B , x : A); z : C \- fx : B 

This is derivable in the basic system: first we derive / : A -* B, x : A h fx : B, and 
then we use Weakening. But in the implicit system it cannot be derived, because 
when we apply the elimination rule for -* we get a context of the form T, A And, 
(/ : A -* B, x : A); z : C is not equivalent to any bunch of the form T, A, where / 
appears in T and i in A. Since we can easily derive f : A^ B,x : A \- fx : B in 
the implicit system, this shows that the implicit system does not admit Weakening 
for 

There is a similar problem with *. For, if we add the rules for * to the implicit 
system, then Contraction is not derivable. We may readily derive 

(/ : Z-* A*B,z : Z);(f :Z^A*B,z / : Z) h let (a, b) = fzmf'z' 

but not 

f:Z-*A*B,z:Z\- let (a, b) = fz in fz 

There is the option of building Contraction into the elim rule for * , and Weak- 
ening into the elim rule for -* , but this would be treating a symptom rather than 
a cause. In the absence of a less unsightly solution, the formulation with explicit 
structural rules is to be preferred. 

4 Basic Properties 

Although the general idea of the aA-calculus follows at once from doubly closed 
categorical structure, the detailed formulation does not. We even saw at the end of 
the previous section that it is entirely possible to formulate plausible-looking rules 
that are not quite right. In this section we examine some basic properties of aX, 
concentrating on on the basic system from Section 3.1. (We will not be ambitious 
here; this material is of the initial sanity check variety, and one could go much 
further.) 

We first validate properties relating typing to substitution and reduction. Typ- 
ing and reduction are areas where substructural type systems, which are surprisingly 
delicate, have encountered problems in the past, so it is appropriate that they be ex- 
plored early. We then spell out how the calculus can be interpreted in any cartesian 
dec. 

4.1 Substitution and Reduction 

Before tackling reduction, we need that each of the introduction rules for function 
types is reversible. This is a property we expect given the isomorphisms 

[A * B, C] S [A, B -* C] [A AB,C] = [A, £? — > C] 

in a dec. 

Lemma 2 (Reversibility) The inverses of -* J and — > I are admissible rules: 

T \- ax . M : A —> B fh Xx.M : A^ B 

T;x:A\-M:B T,x : Ah M : B 
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Proof Sketch: In each case a derivation of the premiss must end with an applica- 
tion of the corresponding intro rule, followed by a sequence of applications of the 
structural rules (W, C, =). The proof goes by induction on the length of this last 
part of the derivation; all cases are straightforward. ■ 

Recall here that "admissibility" means that if you can infer the judgement above 
the line, then you can also infer the judgement below. This does not, however, 
mean that there is a generic derivation from one to the other, and admissibility is 
a property that is not preserved under extensions to a language. 

The substitution lemma is formulated for identifiers appearing arbitrarily deeply 
in a bunch. 

Lemma 3 (Substitution Lemma) The following is an admissible rule. 

T(x : A) h M : B AhAf;4 
T(A) h M[N/x] : B 

Proof Sketch: As usual, a multi-nary version is proven in order to get a strong 
enough induction hypothesis: 

rpEi : A 1 | ■ ■ ■ | x m : Am) h M : B Ax h Nj_ : A u A m h N m : A m 
r(Ai | ••• | A m ) \-M[N 1 /x l ,...,N m /x m ] : B 

where T(Ai | ••• | A m ) indicates a bunch with multiple distinct sub-bunches. 

The proof goes by induction on the derivation of T(xi : A\ \ ■ ■ ■ \ x m : A m ) h 
M : B, where the multi-nary aspect is used to deal with the case of Contraction. ■ 

The two kinds of function in aX come associated with the usual reductions. 
/3-reductions ry-reductions 
(ax.M)@N t> M[N/x] (ax . M@x) t> M (x 4 free(M)) 

(Xx.M)N > M[N/x] (\x.Mx) > M (x 4 free(M)) 

Proposition 4 (Subject Reduction) IfT h M : A and M > N then T h N : A. 

Proof: To prove the (3 case for A, note that a derivation of T h (\x.M)N : A must 
end in a use of E, followed by a number of applications of structural rules. The 
proof goes by induction on the length of this sequence. 
In the base case we have 

T h (Xx.M) : A^ B A h N : A 
r, A h (Xx.M)N : B 

as the last rule in the derivation. By the Reversibility Lemma we have T,x : Ah 
M : B and we can then use the instance 

T,x:A\-M:B Ah TV : A 
r, A h M[N/x] : B 

of the substitution lemma. 

All other cases (C, =, W) are straightforward, with C using a typical commuta- 
tivity property of substitution. 

The (3 law for — > is similar, except that to handle the base case 

T h (ax.M) : A^ B A\- N : A 
r ; A h (ax.M)@N : B 
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wc use the instance 

T;x:A\-M:B N : A 

r ; A h M[N/x\ : B 

of the Substitution Lemma. Notice how the single, nested, formulation of the lemma 
covers both ";" and "," cases. 

The proofs for r\ laws are straightforward, also relying on Reversibility. ■ 

Finally, we remark that the strong normalization theorem for aX does not require 
any work on our part, because it follows at once from the corresponding result for 
simply-typed A-calculus. 

Proposition 5 (Strong Normalization) There are no infinite reduction sequences, 
starting from any typable term. 

Proof Sketch: We can define a mapping of aX into the simply-typed A-calculus 
which sends both — > and -* to the function type — > of A-calculus. Any reduction in 
aX then induces a reduction in A-calculus, which is preserved by the mapping. There 
can therefore be no infinite reduction sequences in aX, or this would contradict the 
strong normalization theorem of typed A-calculus. I 



4.2 Semantic Interpretation 

Suppose we are given a cartesian dec. An interpretation of aX specifies an object [p] 
for each primitive type, which then extends to all types using the closed structures. 
A bunch is interpreted by mapping "," to *, ";" to A, and similarly for the units. 
Then, for any proof n of a judgement r h M : A we can define a map 

[Mjn ■ PI — fAj 

by induction on n. 

To describe the interpretation, if T(-) is a bunch with a hole, then it determines 
a functor |r](-) on the dec in question. When we write [r]([A]) this indicates the 
action of the functor on objects, and the occurrences of [r] (con£r) and [T](7ri) in 
the rules for Weakening and Contraction use the morphism part. 



Semantic Interpretation 



Id — ' ^rxf- tIi = (canonical i : [A] — > [T]) 



id: [A] — > [A] ^ i; m : [A] 

m : [r]([A]) — {A] 



([r](^));m:[r]([A]A[A]')^[A] 
(m : [r]([A] A [A]') — [A] 



W 



C (where A = A') 



(lTj(contr));m: [r]([A]) — > [ 
m : p] A {A} — ► [Bj r m : [T} — > [AJ — > [B] n : [T] 



m* : p] — ► [A] - [5] m An; app^ : fT] ~^ [S] 



m : [T] * [A] — > [gj m : [r] — > [A] ^jgj n : [A] — > [A] 

m°:r^[iH[B] ^ " (m*n);app^ : [T] * [A] — > B 



In the interpretations of Weakening and Contraction, 7Ti is the second projection 
and contr is the doubling map (tti, tt2) : [A] — > [A] A [A] associated with cartesian 
structure. Note that [A] and [A'J are actually equal when A and A' are isomorphic; 
so this semantic clause is type correct. 
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For the other rules, i is a canonical isomorphism; (•)* and (-)° are the isomor- 
phisms of horn sets obtained from the adjunctions for — » and -* ; app^ and app _. 
are the application maps obtained from the adjunctions; (to, n) is the pairing for 
the cartesian product; m * n is the action of the * functor on morphisms. 

There are two coherence issues worth mentioning here. The first concerns the 
isomorphism i : [A] — ► [r]. We intend that this is obtained from a proof that 
A = T using commutative monoid laws: any such proof determines an isomorphism, 
using the coherent isomorphisms of symmetric monoidal categories [24]. We claim 
that applications of symmetry morphisms are explicitly disambiguated by the use of 
different identifiers for different types appearing in bunches, so that the morphism 
i is unique. (This appears to follow from the usual coherence results for symmetric 
monoidal categories, but we will not carry out a detailed proof.) In any case, this 
coherence issue can often be sidestepped in specific models by using an interpreta- 
tion where equivalent bunches are semantically equal; an example will be given in 
Section 9.2. 

The second coherence issue has to do with the order of application of the rules: 
there can be different proofs tt and tt' of the same judgement r h M : A, for instance 
when a structural rule is applied before or after an elimination or intro rule. In this 
situation we would like to know in such a situation that the two proofs determine 
the same map [M] w = [M] T /. 

A detailed study of the connection between syntax and semantics would involve 
a careful proof of coherence, together with soundness and completeness results con- 
necting syntactic equality with equality in the models. We avoid this here, and 
instead refer the reader to Pym's monograph for more information [38]. 

However, since we have established that any proof of a judgement r h M : A 
determines a map from [r] to {A] in a cartesian dec, we can use the following fact 
with confidence (even prior to coherence or completeness issues). 

Lemma 6 (Inhabitation Lemma) If there exists a cartesian dec and interpreta- 
tion of primitive types in which the horn set [[r], [A]] is empty, then there can be 
no M with T h M : A in aX. 

5 Models for the Sharing Interpretation 

Thus far the sharing interpretation has been stated informally; in this section we give 
three models corresponding to it. In the models for the basic and non-commutative 
languages, we will give some somewhat lengthy examples, which show in some 
detail how the interpretations of types work. Our reason for doing this is that we 
are claiming that the sharing interpretation gives a consistent reading of bunched 
typing; to understand the sense in which it does, we need to do more than merely 
mention the models in passing. At the same time, though somewhat lengthy, these 
examples stop well short of being "applications" . 

An affine model is described briefly. A variant of it is developed more fully in 
Sections 7-10, when we consider SCI. 

The models in this section arc instances of an abstract construction due to 
Day [12], which shows how to obtain a monoidal biclosed structure on the functor 

pop 

category Set , starting from a "promonoidal" structure on C. Combined with the 
standard fact that Set is cartesian closed, this construction gives us a host of 
models for bunched typing. 

We present the models here in an elementary fashion, using direct descriptions 
of the dec structure; it is not even necessary to know (or remember) the definitions 
of cartesian closed structure in functor categories. In two of the three cases the 

pop p 

parametrizing category will just be a set, or a discrete category, and Set = Set 
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thus a product category. In the other case C is a poset. Our intention in doing this 
is to use very concrete, and even simple-minded, models, in order to make the 
connection back to sharing in a straightforward way. 

5.1 Resource Separation: The Basic Disjointness Model 

Let T denote the collection of finite subsets of a given infinite set hoc. We think 
of an clement X e T as a possible world, that determines a finite collection of 
resources or, more concretely, locations in computer memory We will use the 
product category Set^ as a model of aX. For an object A and element a e AX, we 
regard a as a computational entity that has access to X. The model in this section 
is for the basic version of a A described in Section 3.1; we refer to it as the "basic 
disjointness model" . 

The crucial operation on worlds is disjoint combination. It is a partial opera- 
tion, because we only combine those finite sets that are disjoint; intuitively, X * Y 
indicates separation, where the component worlds X and Y determine distinct re- 
sources. 

X * Y = XUY, when X n Y = {}; 
X * Y = undefined, when X f\Y ^ {}. 

This definition makes T , {}, * a partial commutative monoid. This means that the 
commutative monoid laws hold up to an equivalence e ~ e' on expressions built 
using * which says that both sides are defined and equal or both undefined. 
The cartesian closed structure in Set^ is determined pointwise. 

(A -» B)X = AX=> BX 
(A A B)X = AxxBX 
IX = {a} 

Here, and x arc function space and product in Set. 

Notice how the pointwise definition of — > corresponds closely to the informal 
reading in the sharing interpretation, where an additive function and its argument 
have access to the same resources. The additive function type has a strongly local 
character, where an application of a function stays located at a given world. 

To describe the multiplicative function type, we use a multiplicative form of 
indexed product. If A(X,Y) is an expression (in the metalanguage) containing 
parameters X,Y for distinct worlds, then 

U Y #A(X,Y) 

is the product, indexed over finite sets disjoint from X. To be precise, an element 
is a function that accepts a world Y disjoint from X and produces an clement of 
A(X, Y). We often refer to the Y parameter as being "fresh", to briefly indicate its 
disjointness from X. 

The multiplicative function type then quantifies over fresh worlds. 

(A-* B)X = Tl Y #A(Y)^B(X*Y) 

Because of the disjointness requirement on H Y #, the X * Y component in this 
expression is always defined. 

In this definition the absence of X in A(Y) mirrors the informal description of 
multiplicative functions as disjoint from their arguments. An element p e (A -* B)X 
accepts fresh world Y and element a e AY as arguments, and produces p[F]a e 
B(X * Y): The "resources" for p are X, while those for a are Y, and these are 
separate in the result type by virtue of their positions in the combined world X * Y. 
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This illustrates the spatial way of reading the semantic expressions referred to in 
the Introduction. 

We give an example to further illustrate the sharing aspect. Consider the inclu- 
sion L : T — ► Set. For each finite set X, we think of LX = X as a set of names, 
or locations. Let N be the constant object, which is the natural numbers at every 
component, and define 

S = L^> (1V(JVAL)) 

where V is the pointwise-defined coproduct. Because of the pointwise definition of 
— > we have that SX = X => {a} + (N x X). We regard an element s e SX as a 
representation of a portion of a computer store, where each x e X is a pointer to a 
linked list (possibly with loops). 

Now consider any function / e ((S A L) — > ((S A L) -* S))X. f accepts (s, x) e 
SX x X and (s',y) e SY x Y, for fresh finite set Y, as arguments, and produces 
a state in S(X * Y) as a final result. From the point of view of S(X * Y), there 
is no overlap between x and y, or between the other pointers in the list pointed to 
by x and those pointed to by y. Thus, we can view / as a procedure that accepts 
two linked lists as arguments, with the proviso that the two input lists arc defined 
using disjoint collections of pointers. This kind of proviso is often required in the 
statement of correctness of an algorithm that, say, removes the elements of one list 
that appear in the other. 

On the other hand, consider the type L — » (L -* (S — > S)). A function of this 
type would accept two pointers to linked lists as arguments, and the two pointer 
arguments would again have to be distinct, but now they could point to lists that 
overlap in the store. 

No particular practical significance is claimed for this example; it is offered just 
as an illustration of how -* and — ► can express sharing properties. 

In this model the multiplicative unit is / where /({}) = {*}, and I(X) = {} for 
all other X. 

Before defining * it is useful to observe that a multi-map characterization of 
maps out of A * B is forced by the definition of -* . That is, if we are to have the 
isomorphism Set^[A*B, C] = Set 37 [A, B -* C], then we must obtain the following. 

Maps p : A* B — ► C out of a tensor are in bijection with families of 
functions 

p[X][Y] : AX x BY — > C(X * Y) , 
indexed over disjoint finite sets X and Y . 

The idea in terms of sharing is that the components of * are assigned different 
resources (this is in line with the form of semantics devised by Reynolds for syntactic 
control of interference [33] ) . 

Given this characterization, we can give a simple description of the application 
map app^ : (A -* B) * A — ► B. It is nothing other than 

app^ [X][Y](p,a) = p[Y]a. 

Also, the exponential transpose, which takes m : A * B — ► C to m° : A — > 
(B — * C) is just 

m°[X]a[Y]b = m[X][Y]{a,b). 

The actual definition of * is straightforward: 

(A * B)X = {Y, Z,a e AY, b e BZ \ Y * Z = X} 
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Here, the condition Y * Z = X requires that Y * Z be defined; so an clement of 
(A * B)X consists of a splitting of the current world, together with two entities of 
types A and B having access to the respective components of the splitting. 

The application and exponentiation maps for — > are immediate, given the point- 
wise definition of — >. All told, we have all of the structure necessary to model 
aX. 

Proposition 7 Set^ is a cartesian dec. 

From the point of view of this model the judgement 

I\-Xx.af. {f@x)@x : A^ ((A -» A^ B) -> B) 

from Section 3.2 is utterly unsurprising. It determines an element p e A^¥ ((A — > 
A — ► B) — > -B){} (where we indulge in a confusion between types and objects in 
Set^). This function p accepts a fresh world X and a e AX, and produces a func- 
tion p[-X]a e ((A — > ^4 — > £>) — > By the pointwisc definition of — >, this is a 
function of type (^4X =>■ AX BX) =^> BX in Set, and it is the expected function 
that maps / to (fa)a. 

Remark 8 A broadly similar development can also be carried out in Set 8 , where 
B is the category of finite sets and bijections. In this category, we model disjointness 
using the (total) operation + on finite sets which takes disjoint union by tagging 
its components. For this to work, however, the use of non-identity bijections is 
crucial: it gives rise to associativity, unity and symmetry isomorphisms that make 
({}, +) a symmetric monoidal structure on B. We could not use T with +, because 
T is a discrete category, and does not have the morphisms needed to make ({}, +) 
monoidal on that category. 

Remark 9 It is important to see that there is no hidden Weakening or Contraction 
for "," lurking in the examples of terms that use their arguments two or zero times. 
In fact, we can see that these rules are absent Set^ in a very strong sense; there are 
not even any candidate maps of the required types to model them, let alone maps 
with the proper properties. 

To model Contraction we would need maps of shape A — > A* A. But there are 
no maps L — ► L * L, where L is the inclusion from T to Set. To see why, given 
a e L{a} we would have to produce an element in (L * L){a}, but this set is empty. 
The reason is that if X * Y = {a} then either X or Y must be {} and so, by the 
definition of *, a tuple in (L * L){a} would have to identify an element of L{}. But 
L{} is empty so there can be no such tuple. 

To model Weakening, we would need maps A — > I, for all A. But there are no 
maps 1 — ► /. 

These remarks confirm the non-admissibility of Weakening and Contraction for 
"," referred to in Section 3.1. 

5.2 An Affine Model 

Strictly speaking, the sharing interpretation is stated as for the basic version of aX. 
The reading for the affine variant, which admits Weakening for the multiplicative 
combination "," , is obtained by changing the interpretation of the additive function 
type to say that functions may share resources with their arguments. 

Let TS (for .F-sub) denote the poset whose elements are the same as T, and 
whose objects are ordered by subset inclusion. We will use the functor category 
Set^ 5 . The * operation on worlds from the previous subsection satisfies the fol- 
lowing monotonicity property: if if X * Y is defined, and Z C Y, then Z * Y is 
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defined and X*Z CY. In this sense, * gives TS the structure of an ordered partial 
commutative monoid. 

The first modification that needs to be made to the basic disjointness model is 
in the additive function type. There is a general formula for this type in a functor 
category, but it will be useful to adopt a special representation, which is tuned to 
the properties of TS. 

Specifically, if X C Z then there is a unique Y such that X * Y = Z. This 
allows us to quantify only over sets disjoint from the current world when defining 
— >, instead of over all supersets of it. 

(A -> B)(X) = ITy# A(X * Y) => B(X * Y), natural in Y. 

Here, the notation Hy# is the multiplicative indexed product defined in the last 
subsection. Naturality in Y means that the equality p[Z](A(X * Y C X * Z)a) — 
A(X *FCI* Z)(p[Y]a) holds when Z D Y is disjoint from X. 

We think of the presence of X in the argument type A(X * Y) as indicating the 
possibility of sharing between procedure and argument. Notice, however, that by 
use of subset inclusion an element p e (A — > B)X can actually be applied to an 
element that "comes from" a world where X is not present, such as p[Y]a where 
a = A(Y C X * Y)a! for some a' e AY. So we regard the formula for the additive 
type as saying that the procedure may share with its argument. 

The definition of the morphism part of A — > B is essentially as in Section 9.1. 

The multiplicative function type has the same definition as before, with natu- 
rality added: 

(A-* B)X = Hy# A(Y) => B(X *Y), natural in Y. 

Recall the judgement / : A — ► B h A a;. f@x : A^* B, that converts an additive 
to a multiplicative function in the affine language. In this model the conversion 
takes a natural transformation A(X + -) — ► B(X + -) and composes on the left 
with the map A — ► A(X + -) that sends a e AY to A(inr)a e A(X + Y), where 
inr is the right injection. Here, an additive function in world X is applied to an 
argument a e AY that doesn't happen to depend on X. 

To complete the definition of the model we must define A* B for functors A and 
B. First we set up a preorder. 

• Elements: tuples (Y, Z,ae AY,be BZ) where Y *Z is defined and Y*Z C X. 

• Order: (Y, Z, a e AY, b e BZ) C (Y',Z',a' e AY', b' e BZ') if Y C Y', 
Z C Z', a' = A(Y C Y')a and b' = B(Z C Z')b. 

Two tuples are then declared equivalent if they have a common parent under this 
order. Writing [•] for equivalence classes, 

(A*B)X = {[(Y, Z,aeAY,be BZ)} | Y * Z is defined and Y * Z C X}. 

This definition is complex, but is just an instance of Day's tensor product, which 
can be described compactly using a coend formula: 

/Y,Z 
AY x BZ x C[X, Y * Z]. 

The unit of * is the terminal object 1, where IX = {a} is constantly the one- 
point set, and so the model validates Weakening. 

Fact 10 Set^ 5 is an affine dec. 
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Comparing to the work in the previous section, we can try to use the inclusion 
functor L : I — ► Set as a variant on the functor used to illustrate the sharing 
interpretation. But L has something of a different character in the affine model. It 
would not be as reasonable to think of s e (L — > (1 V (N A L)))X as a state, because 
s would have to accept other worlds Y, and potentially y e LY, as arguments. So 
the development above, for the basic disjointness model, does not carry through 
well to the affine case. However, a thorough account of the sharing aspect of a 
variant of the affine model is given later, in the context of SCI. 

5.3 A Non-commutative Model 

In the non-commutative model the commutative multiplicatives * and -* will con- 
tinue to express absence of sharing. To this we add non-commutative operators •, 
•- and -• which express a directional form of sharing. 

Let W denote the set of binary relations X C Loc x Loc, for a fixed set Loc. 
A relation describes a constraint on the shape of the computer store, where iXi' 
means that there can be a pointer from t to £' . 

The non-commutative product of worlds, X • Y, will describe a situation where 
there can be pointers from (the domain of) Y back into X, but not vice versa. To 
describe this we make two definitions: 

- domX = {£ | 3£'.£X£'} is the domain of relation X; 

- X » y holds just if domX n domY = {} and IX!! => I' 4 domY . 

When X y> Y holds, the union of relations X and Y allows I and C to be related, 
where I e domY and £' e domX, but not the converse. This leads us to 

- X • Y = X U Y, when X » Y; 

- X • Y = undefined, when -<(X » Y). 

There are two natural choices for the commutative product *. 

1. Shallow Non-interference: X*Y = X U Y, when domX n domY = {}. 

2. Deep Non-interference: X * Y = X (JY, when (domX U codX) n {domY U 
codY) = {}. 

In either case (with the operation undefined in other cases), we obtain that (W, /, *) 
is a partial commutative monoid. (We resist the temptation to formulate a language 
with two separate commutative monoidal fragments.) 

The definitions of and * in Set w are similar to the ones in the basic dis- 
jointness model, and omitted. 

To describe the non-commutative function types, we first define a non-commutative, 
multiplicative indexed product in the metalanguage. If A(X, Y) is an expression 
containing parameters X, Y for worlds, where X » Y, then 

n y » A(X, Y) 

is the product, indexed over worlds »-related to Y. That is, an element is a 
function that accepts a world Y where X >£> Y holds, and produces an clement of 
A(X,Y). Similarly, an element of 

n x « A(X,Y) 

is a function that accepts a world X where X » Y and produces an element of 
A(X,Y). 

Then the two function types are: 
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{A*- B)X = n y » A(Y) => B(Y • X) 

(A-* B)X = U Y « A(Y) => B(X»Y). 

For •, 

(A • B)X = {Y,Z,ae AY,be BZ \ Y • Z = X}. 

As in the basic disjointness model there multi-map characterization of maps 
out of A • B, except that the characterization for • works with pairs of world 
subject to the constraint that the application and transpose maps are also 

straightforward. So we state: 

Proposition 11 Set w is a model of the non- commutative variant: It is 

1. monoidal biclosed (•,•-,-• ), 

2. symmetric monoidal closed (*, -* ), and 

3. cartesian closed (A, —>).). 

(The cartesian closed structure is inherited pointwise from Set.) 

The connection between the sharing interpretation and the definitions of -* 
and — > established in the discussion of the disjointness model go through just as 
well for the model of this section; so we concentrate on the directionality of sharing 
expressible using the non-commutative operators. (We stress that it is important 
that this reading does not invalidate that for the other connectives, especially the 
reading for the additive — >.) 

First, we define states similarly as in the disjointness model, but with two dif- 
ferences. 

SX = {s e domX -> ({a} V (N A Loc)) \ si = (n, £') implies £X£'}. 

The first difference is the use of the constraint IXC determined by the relation: the 
store must be compatible with the given store shape. 

The second difference is that locations in the domain and range of a state s are 
treated differently, because the former must be in domX while the latter are taken 
from all locations. We think of domX as the collection of known or active locations 
at a given world. The use of Loc enables a situation where one location points to 
another, where that other's contents is unknown: we have dangling references. For 
example, in the world {(£,£'}} the store [£ i— > (3,£')] is valid, where we do not know 
what £' points to. 

Dangling references play a crucial role in the treatment of •. For example, in 
the composite world Z = Y • {(£,£')} we use the dangling reference £' in {(£,£')} 
to "reach back" into Y. In this composite world there cannot be any pairs of the 
form (£", £}, so in a state s e SZ there cannot be any pointers into £. In particular, 
£ can be the head of a linked list, but not a non-head node. 

Now we want to see how the non-commutative function types work in this model. 
Recall the sharing interpretation for -• : 

A-* B: functions where the argument may depend on resources accessed by 
the function (but not vice versa). 

To make this concrete we work with an object of cells, as well as with states. 
Since we regard the domain of a relation as the collection of known cells, we set 
cellX = domX (and cell_L = {}). 
We are going to describe a map 

stack-alloc : (cell-. (S -» S)) — ► (S -» S) 

where stack- alloc(X x.C) 
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- allocates a new location, initializes it to a, and binds it to x; 

- executes C; 

- de-allocates the new location on block exit. 

This may seem surprising, since in the presence of pointers stack allocation is not 
generally possible. For, if you allocate a pointer, and make some other pointer 
point to it, then the new pointer cannot be deallocated without creating a dangling 
reference. (And, dangling references arc a rich source of program errors.) 

Ultimately, this works because the right-leaning function type allows us to ex- 
press a kind of dependency: x may point to other, older, pointers byt not the 
reverse. Thus, deallocating x on block exit will not create any dangling pointers. 
And, if we know that C does not itself create a dangling pointer - say, if there are 
no facilities for freeing or disposing a pointer in the language - then this form of 
stack allocation of pointers will be completely safe. 

To nail this down, first note that a function / e (cell-* (S — > S))X will accept 
a world Y and cell I and then give us back 

f[Y]£ : S(X • Y) — ► S(X • Y) 

What we need to do is choose £ to be a new location: then the definition of • will 
ensure that I cannot be pointed to from X. We also need to choose the relational 
constraint for Y, and for this it makes sense to let i point to anything in X. 
To formalize this discussion we require: 

- a location newloc(X) $ domX. 

This location can be chosen using some enumeration of Loc. Next, we define 

- newworld(X) = {(newloc(X),£) \ £e domX V 1= newloc(X)}. 

The composite world X • newworld(X) describes a situation where a new location 
can point to locations in X, but not conversely. Then 

stack- alloc[X]fs — chop(f[newworld(X)]newloc(X) [s | newloc(X) \— > a] 

where chop takes a state in X • newworld(X) and removes newloc(X) from its 
domain, giving us a state in X. This chopping operation does not create any new 
dangling references; in particular, if there is no dangling in s', then there will be 
none in chop(s / ). The point here is that the final state must obey the constraint 
described by X • newworld(X). The directional sharing information expressed by 
-• and • should be clear from this example. 

On the other hand, suppose we were to try the same thing with •- 

(cell.- (S-»S)) — > S) 

Then we could make the same definition as above, by redefining newworld(X) it 
could not point into X) and using newworld(X) • X. But then we would no longer 
be guaranteed of safety of deallocation, because chopping the new location could 
create a dangling reference. 

As before, no particular practical significance is claimed for this example: To go 
further one would want to allow some form of heap allocation, or one might even 
regard the elements of worlds as regions rather than single locations. 

6 More on Categorical Models 

In this section we look more closely at some properties of the categorical models. 
The reader who is more interested in seeing aA in action can safely skip forward to 
the next section. 
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6.1 An Obstruction 



Although -* and — > are not in general convertible to one another, the dec isomor- 
phisms 

[1,A^B] = C[A,B] = [I,A^B] 

do place a demand on non-degenerate models. We can make this precise by es- 
tablishing an obstacle to the existence of non-degenerate dec's, which rules out 
categories such as Set or the category of predomains. To state this, recall that a 
category with a terminal object is well pointed if for any parallel maps /, g : X — > Y 
there is e : 1 — *■ X such that e; / ^ e; g. 

Proposition 12 If a cartesian dec is well pointed then it is degenerate in at least 
one of the following two senses: 

(a) it is a preorder (at most one map in any horn set), or 

(b) the units 1 and I of the monoidal structures coincide (up to isomorphism). 

Proof: Suppose C well pointed and not a preorder. We show that that 7=1. 

To see that I is weakly terminal, since C is not a preorder there are two unequal 
maps A — ► B for some A and B. By adjointness we obtain two maps I — ► A^ B 
which, by well pointedness, can be distinguished by a map 1 — ► I. For any object 
D we can compose that map with D — ► 1, thus showing that I is weakly terminal. 

For uniqueness of the map D — > I we make use of the following two facts. 

(i) [15] If C is a well pointed category then there is only one natural endomorphism 
on the identity functor idc : C — ► C. 

(ii) [14] If (C, *, I) is a monoidal category then there is an injective function from 
C[I,I] into C c [idc,idc}. 

It follows that the identity is the only endomorphism on I in C. Now, suppose 
(toward contradiction) that there are two maps D — > /. Then there would be a 
map 1 — > D distinguishing them by well pointedness, and composing gives us two 
maps /, g : 1 — > I. By well pointedness we know that C is equivalent to a (not 
necessarily full) subcategory of Set, the category of its points (whose objects are 
hom sets C[1,A]), where 1 corresponds to a one-point set. From this it is evident 
that composing on the left with the unique map h : I — ► 1 we obtain two different 
endomorphisms (ft; /) (ft; g) : I — ► /. But we saw above that there could only 
be one such endomorphism, so we obtain a contradiction. So there can be at most 
one map D — ► I, and thus I is terminal and isomorphic to 1. ■ 

A preliminary version of this paper (from October, 1997) contained the erroneous 
claim that in a well-pointed dec * and would collapse to A and — > as well. 
However, Martin Hofmann has constructed well-pointed affine dec's in which the 
products and function types are indeed distinct [19]. 

Nonetheless, the proposition does establish an obstacle to the search for models 
by a number of standard techniques. For example, realizability models are often 
given using partial equivalence relations over a partial combinatory algebra; the 
maps are those functions on equivalences classes that can be tracked by an element 
in the algebra. But such categories are well pointed, so this construction cannot 
be immediately used to give non-degenerate realizability models of a A. Indeed, the 
problem of finding a convincing realizability interpretation of a\ remains open. 
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6.2 Other Models 



Our first example is degenerate, in that it is a poset (and even a boolean algebra). 

Example 13 Consider the two-element boolean algebra B = {f,t}. It can be 
viewed as a degenerate (posetal) ccc, where / C t, 1 = t and A and — > are given 
by the truth tables for conjunction and implication. The product poset B x B 
inherits this ccc structure in a pointwise fashion, and it has symmetric monoidal 
closed structure given by 



Coproduct structure is given by join in B x B. 

We can use this model to confirm the remark from Section 3.2 that -* and 
— ► are not convertible to one another in the oA-calculus. To see this, note that 



((/,*) -> (t,/)) - (*,/) and ((/,*) -* (*,/)) - (/,*)■ This, combined with the 



fact that there are no maps between (/, t) and (i, /) in cither direction, implies that 
there are no maps from ((/, t) — ► (t, /)) to ((/, t) -* (t, /)) or back. □ 

A number of other naturally occurring examples arise from Day's construction, 
including higher-dimensional automata [17], complexity models [19], and logical 
interpretations which can be viewed as posetal dec's [11, 20]. 

A final example is given by the category Cat of small categories. 

Example 14 Cat is cartesian closed, with product of categories and the one object 
category giving finite products and the functor category A B giving the additive 
exponent. Cat also has another closed structure, where B is the category 
whose objects are functors and whose morphisms are "transformations," i.e. families 
of maps but without naturality constraints. The symmetric monoidal structure is 
given by Gray's tensor product [18] with the one object category as unit. So Cat is 
an affine, bicartesian dec. These are the only symmetric monoidal closed structures 
on Cat [14]. □ 



In Section 3.2 we showed how aX and linear A-calculi mix additive and multiplicative 
function types in a fundamentally different way. In this section we would like 
to probe this issue further by asking: what happens if we add "!" to aA? To 
study this question we will not formulate explicit syntactic rules for "!", but rather 
will work exclusively at the semantic level. Also, we will consider models that 
include coproduct types, so will work with bicartesian dec's (cartesian dec's that 
have coproducts). 

We have two reasons for asking this question. First, it further illuminates the 
differences between the two systems. Second, it is a first step towards understanding 
whether it is possible to have a type system that combines the merits of linear and 
bunched typing. 

We begin by noting a basic fact. 

Proposition 15 There is model of aX for which the decomposition ! A -* B = 
A — > B is impossible. That is, there is no functor "!" which can decompose the 
additive function type into the multiplicative one, in that specific model. 
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Proof: Consider the afHne model from Section 5.2. We claim that there is no 
functor (or even function on objects) ! : Set x — ► Set 1 admitting \A -* B = A — > 
B. To see why, consider the constant functor 2 which delivers the two element set 
{t,f}. Then 

(A -* 2)X = Set x [A,2(X + -)] = Set x [A,2] 

is independent of X, and so ^4 -* 2 is a constant functor. On the other hand, 
(A — ► 2)X = Set x [A(X + -), 2] depends on X, and is not necessarily (isomorphic 
to) a constant functor. For instance, if L is the inclusion functor from X into Set, 
then (L — > 2){} has two elements, corresponding to the two constant functions into 
{t, /}. But, (L — > 2){a, 6} has elements that are not in the range of (L — > 2)(/ : 
{} ^ { a i^})- O nc such maps a to t and b to f (and all other inputs to, say, /). 
Therefore, no matter what "!" we try to pick, \L -* 2 will be a constant functor, 
while L — > 2 is not, so they cannot be isomorphic. ■ 

To the categorically-inclined reader this result will not be a surprise. But it 
does underline the fact that a dec is not simply a model of linear logic in disguise. 
In fact, we have yet to find an interesting model of aA that does admit such a 
decomposition. This is not an obstacle to the existence of some "!" satisfying the 
required properties for linear logic. It just shows that, in general, we cannot expect 
such a "!" to decompose the additive function type that exists in the aA model. 

This leaves open the possibility, then, of having a category that is simultaneously 
a model of aA and a model of linear logic. Here, we will take "model of linear logic" 
to mean a monoidal closed category, with products and coproducts, and equipped 
with a "monoidal comonad" ; these are the models of intuitionistic linear logic, as 
presented in [7]. So we explicitly define: 

Definition 16 A dec with "!" is a cartesian dec with coproducts (a "bicartesian 
dec"), with a monoidal comonad structure (where the monoidal structure used is 
that for (*, /) ). 

These are the minimum conditions we would expect from a model for a system 
combining aA with "!". 

The affinc model of Section 5.2 provides an example. There, for "!" we choose 
the functor where \AX = A{}. We omit the further data needed to describe a 
monoidal comonad, and simply state: 

Proposition 17 Set^ 5 with the indicated structure is an aX with "!" model. 

This gives us a model with an additive function type A — > B, the exponent 
in the functor category, together with an additional function type \A^ B gotten 
by decomposition. To see how different the decomposed function type is, consider 
p e (IA -* B)X. This gives, for any world Y, a function from A{} to B(X + Y) 
which is, by naturality, completely determined by a function from A{} to BX. So, 
such a function effectively accepts only "resource unconscious" arguments. In fact, 
we can see that this comonad essentially arises from an adjunction between Set 1 
and Set. The left adjoint takes any functor A to A{} and the right adjoint takes a 
set to the constant functor on it. 

So, we see that it is possible to add "!" to aA, and that doing so does not 
completely collapse the system (at least, we have seen how to do so semantically) . 
But if we add "!" it is natural to ask how the resulting system relates to linear 
logic. The system is clearly an extension of linear logic, but it is not a conservative 
extension of it because of the following. 

Fact 18 Any dec with "!" satisfies distribution: 

AA(BVC) S {A\J B) A{A\J C). 
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However, distribution fails in models of linear logic (for instance, in the coherence 
space model). 

This fact follows at once from the requirement that A A (-) be a left adjoint (because 
of — >), which hence must preserve coproducts. 

This suggests that, while it is possible to add "!" to aA, the resulting system 
does not retain the merits of linear logic (though it might have other merits) . The 
previous proposition rules out the most important models of linear type theory that 
have been given in the literature, including coherence space and the strict-function 
model from domain theory. 

Ideally, we would like a way to combine linear and bunched typing in a way 
that simultaneously accounts for sharing as in bunched typing and consumption 
as in linear logic. (Examples of the consumptive aspect of linear typing include 
[22, 49, 33, 6].) Here we have discussed models that consist of a single category, 
possessing all of the properties required to model both linear logic or type theory 
and BI or aA, and concluded that the essence of linear logic is lost in such models. 
There is another way that one might try to combine linear and bunched typing, 
based on a pair of categories. In the pair-of-category models of linear logic one 
asks for a symmetric monoidal category and a separate cartesian (perhaps closed) 
category, with a monoidal adjunction between them [4, 2]. To obtain a combined 
linear/bunched type system one might start with a symmetric monoidal closed cat- 
egory and a separate cartesian dec. By observing such a separation, it might be 
possible to develop a calculus that supports number-of-uses and sharing interpre- 
tations at the same time, where the multiplicatives in the smcc have to do with 
consumption and those in the dec with sharing. The main problem, besides having 
convincing specific models, is to determine the right conditions on the means of 
passing from one category to the other, and the corresponding syntactic rules. 

7 Interference Control 

Now we switch gears and show a detailed use of aA. In this section we describe 
syntactic control of interference and Idealized Algol, two imperative languages de- 
fined by Reynolds in the late 70s and early 80s. The following section shows how 
SCI and IA can be combined into a single language, whose type system is based on 
the affine aA-calculus. This combined language overcomes a problem with recursion 
in the original SCI [43, 45]. After that, we indicate how aA can be used to treat 
jumps, another problem area in the original SCI. 

Experience suggests that SCI can be difficult to understand if presented too 
quickly. Therefore, we will include a number of small examples, and some informal 
discussion, in this section. The main focus, again, is on the connection between 
structural rules and sharing. 



The primitive type exp is the type of natural number-valued expressions, comm 
is the type of commands, and cell is the type of storage cells, or locations. 



7.1 Basic SCI 



We work with a version of SCI whose types are as follows. 



p ::= exp | cell | comm 

6 ::= p | 6A6 1 | 0-* e 1 



primitive types 
types 
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Affine A-calculus 



Id a u ' a Ex (where A is a permutation of T) 



x :9V- x:6 Ah M :9 

r h M : & 



7 W 

T,x:6V- M :9' 

T,x : 8 \- M : 9' r h M : 0 -* #' A\- N : 9 

-* I ~ . , — tt— — -, -* E 



TV- Xx :9.M : 9 ^ & T, A h MN : 9' 

TV-M-.9 TV-N-.9' T T h M : 9 1 A 9 2 . 

r h (M, N) : 9 A9' Al rV^MTJ, hE (whcrC 1 18 1 ° r 2) 

A typing context T here is a list of assumptions x : 6> pairing identifiers with types, 
with the proviso that no identifier appears twice. 

The crucial rule is E, where the use of distinct contexts T and A prevents 
the procedure and argument from sharing identifiers (the proviso that no identifier 
appears twice in a context puts an implicit constraint on T, A). Because of this, 
Contraction is not admissible in this setup, though the rule of Weakening 

YY-M :9' w , . 

t^TWmTJ' Weakcnm s 

is. In fact, an equivalent way to present the system is to include Weakening explic- 
itly, along with a rule 

Id' 

x:9*rx:9 1CL 

for identifiers that does not include the dummy assumption T. 

SCI-Specific Rules 

r h M : comm A\- N : comm V \- M : comm V h N : comm 

r, A h M || N : comm T\- M;N : comm 

rhJVi: exp rhJV,: comm , i = 2, 3 
r h 17 : exp r h if Ni = 0 then N 2 else N 3 : comm 

x : 9 h M : 9 T,x : cell h M : comm 



h rec x . M : 9 T h new x. M : comm 

r h M : cell rhM:cell fh JV: exp 

r h M : exp r h M := N : comm 

We have included a rule for implicit dereferencing, which converts a term of type 
cell to one of type exp. Most of the other rules should be familiar; we mention 
only that new allocates a fresh cell (which is put on the runtime stack). We have 
not listed typical arithmetic operations. 

Now let us reconsider the example from the Introduction, which leads to aliasing: 

((XxXy . ■ ■ ■ x := 1; y := 2 ) z ) z - 

This term does not typecheck in SCI because the function ((XxXy . ■ ■ ■ x := 1; y := 

2 )z) and argument z share the free identifier z: there is no way to apply the 

elimination rule for — >. 

The parallel composition M \\ N is included alongside M;N for contrast. If 
interference control is working properly then we would expect, because of the use 
of disjoint contexts, that the commands M and N refer to distinct areas of storage 
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in M || N. As a result, its overall effect should be determinate, and it should be 
semantically equivalent to the sequential composition M; N (when M || N type- 
checks). For example, x := x + 1 || y := 2 is perfectly determinate, as long as x and 
y denote distinct cells. But x := x + 1 || x := 2, which would be indeterminate, is 
ruled out by the typing rule for ||. 

Conversely, if interference control is not working properly, then we would expect 
this to be seen in M || N. For example, x := 1 || y := 2 would be indeterminate if 
x and y were aliases. 

The restricted rule for recursion, where x is the only contextual variable in the 
premiss, is what one expects for affine typing. If M had free identifiers other than x 
then a fixed-point unwinding recx.M [> M[recx.M/x] could violate affine typing. 
This can be seen also with a fixed-point combinator Y(M) where M : A: an 
unwinding to M{Y{M)) would violate the disjointness property of procedure calls, 
if M was not closed. 

As we mentioned in the Introduction, the original SCI allowed a restricted form 
of Contraction for passive types, which are types of values that may read from, but 
not write to, the store. Passivity is discussed briefly in Section 8.3. 

7.2 The Sharing Interpretation of SCI 

We saw above how abolishing Contraction eliminates one instance of aliasing. More 
generally, the absence of aliasing is subsumed under the 

Disjointness Policy: distinct identifiers never interfere. 

In the language here we take "interfere" to mean "refer to common storage." 

The disjointness policy impacts the meaning of function types, while the meaning 
of products remains more standard: 

A -* B: functions that don't interfere with their arguments; 
Ah B: pairs that may interfere with one another. 

SCI did not, originally, have a multiplicative product. The reading for it would be 

A* B: pairs whose components don't interfere with one another. 

But a form of this product is already present in the comma in typing contexts, in 
that in a judgement 

x x : A-i_,...,x n : A n \- M : B 

the disjointness policy expresses the same non-interference property as for *. 

It is important to realize how the sharing interpretation is an unusual reading of 
the affine A-calculus. Often, the idea in the affine calculus is that a function uses its 
argument at most once, so that for instance in a function of type AAB ^ C cither 
the A or the B component may be used, but not both. But according to SCI's 
reading, it is perfectly reasonable for a function p of such a type to use either or 
both components of a pair (a, b) supplied to it as an argument, and cither of these 
elements could be used many times. The only constraint is that p doesn't interfere 
with (a, b). 

For example, in SCI we can write a function 

(Ac : comm A comm ■■n\c; tt 2 c ; ttic) : comm A comm -* comm 

that uses the first component of a pair twice and the second component once. 

The sharing reading also helps to understand the typing of if. In the numbcr- 
of-uses reading, in ifA^ = 0 then N 2 else N 3 one would expect to use one context 
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for Ni, and a separate context for N 2 and N 3 . But the conditional essentially 
corresponds to a constant of type exp A comm A comm -* comm in SCI and 
there is no inconsistency if all the iV,'s share the same context. In imperative 
programming this sharing is often wanted, so that information can pass from the 
condition into the branches. 

Now the affine A-calculus certainly does not force the sharing reading. But it 
is consistent with it. The pure affine calculus is actually too small for this "many 
uses" aspect to be seen; the additional constants of SCI are where it comes out. 
The pure aA-calculus, in contrast, already admits multiplicative functions that use 
their arguments many times, as we saw in Section 3.2. 



7.3 IA 

IA (for Idealized Algol) is similar to SCI, except that it uses the simply-typed A- 
calculus in place of the affine A-calculus. Formally, it is obtained from Basic SCI 
by removing the rule for || and adding Contraction and a new rule for recursion 

T,x:0,y:0\-M:ff . T,x:9\-M:B 

Contraction 



r,z:0h M[z/x, z/y] : 6' p |- re cx. M : 9 

Instead of adding Contraction, we could equivalently banish the disjointness re- 
quirement in the -* E rule. I A violates the disjointness policy, as now a term 

((XxXy . ■ ■ ■ x := l;y := 2 )z)z where distinct identifiers x and y interfere is 

typablc. 

For future reference (Proposition 19), in IA we also rename -* to — >, to em- 
phasize that it uses simply-typed A-calculus. 



7.4 A Limitation 

Many programs one would typically write (in a language, or language fragment, like 
IA without references or pointers) do in fact satisfy the disjointness policy of SCI. 
But a problem with recursion was raised by Reynolds [43]: If a recursive procedure 
contains a free identifier which uses storage in an active way (by changing it), then 
in the body of the procedure this free identifier and the procedure being defined will 
interfere (violating the disjointness policy). Technically, this problem is avoided in 
the affine type system in this section by restricting the rule for recursion, so that a 
recursive procedure cannot have any free identifiers. 

An example of this limitation is the Towers of Hanoi program, where disks are 
moved between pegs. 

procedure movemany(k, a, 6, c : int) 
if k > 0 then 

movemany(k — 1, a, c, b); 
moveone(a, b); 
movemany{k — 1, c, 6, a) 

The procedure moveone can work by printing a message to the screen, or by record- 
ing a move in a global data structure. 

Technically, since moveone is free in the body of the procedure, we cannot use 
the restricted rule for recursion to type it. Desugaring the recursion, we would have 
to type rec movemany. Xkabc. body in a context that contains moveone, where the 
recursion rule requires an empty context. 

More conceptually, moveone and movemany interfere in the body of the proce- 
dure if moveone contains side effects. Other examples of this form may be found 
in objects where one of the methods is recursive. 
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It is possible to write a recursive version of movemany in SCI by passing 
moveone as a dummy argument, and instantiating a curried version of the pro- 
cedure with the actual movemany. But this seems unnecessarily complex, as the 
given definition of movemany is simple and clear enough as is; as a result, it does 
seem to be desirable to be able to turn off interference control in local contexts, as 
long as we can turn it back on again in a broader context. The "problem" would 
be exacerbated when programming an object that uses several cells to maintain a 
local state. 



8 An Enveloping Language 
8.1 SCI+ 

Now we consider a language, SCI+, that has primitive operations similar to those 
in IA and SCI, but which uses the affine aA-calculus as its type system. 
The types are given by the following grammar. 

p ::= exp | cell | comm primitive types 

9 ::= j o|0A0'|0-»0 / |0-*0 / types 

The primitive types are as in SCI and Idealized Algol, and we include both of the 
function types of aX, with the rules from the affinc variant as in Section 3.3. We 
also include the rules for cartesian products. 

T\-M:A ThN:B j T\-M:A 1 SA 2 

~~ w, — 7V~, ~a A/ — =-; — — -. — Ah (where i is 1 or 2) 

r h (M, N) : A A B T h m M : A t y ' 



SCI+- specific Typing Rules. 

r h M : comm A h N : comm 
r, A h M II N : comm 



r h M : comm r h N : comm 
rhM;JV: comm 

r h N-i. : exp r h Ni : comm , i = 2, 3 
r h if Ni = 0 then N 2 else N 3 : comm 

r, x : cell h M : comm 
r h new x. M : comm 

r h M : cell rhiV: exp 
r I- M := N : comm 

All of these rules except for rec are, textually, exactly the same as rules in IA or 
SCI. The difference is that now the comma has a different meaning than in IA, in 
that it refers to the multiplicative combination. If we read the IA "," as ";" in 
SCI+, and the SCI "," as then we have omitted the rule for recursion from 
SCI, and rule for new from IA. Let us see that the omitted rules are derivable. 
The IA new would be 

T; x : cell h M : comm 



T h 17 : exp 

T;x:0\-M:0 
T h rec x . M : 9 

r h M : cell 
r h M : exp 



r h new x . M : comm. 



We can derive this at once using the SCI+ rule for new and the inference 

T; x : cell h M : p 
r, x : cell h M : comm 

which is an instance of the Conv rule of affine aX. 
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The recursion rule we have given is the one appropriate to IA. It has the SCI 
rule as a special case, using F = 1 and a coherent equivalence. The use of ";" 
instead of "," in this rule is crucial. 

Given these remarks it is not difficult to show the following. 

Proposition 19 1. SCI+ has IA as a sublanguage. That is, if 

x l : A u ...,x n : A n \- M : B 

in IA then 

x 1 :A\;...;x n :Al^M*:B* 

in SCI+, where (•)* maps X to a, MN to M°@N° , and everything else (in- 
ductively) to itself. 

2. SCI+ has SCI as a sublanguage. That is, if 

xi : A u ...,x n : A n \- M : B 

is derivable in SCI then it is also derivable in SCI+. 

8.2 The Sharing Interpretation 

There is thus a syntactic sense in which SCI+ is an enveloping language, but this 
in itself is unremarkable. It is still conceivable that the larger language has features 
that are inconsistent with the essence of IA or SCI, destroying some crucial aspect 
of one of smaller languages. 

The sharing interpretation of aX describes the sense in which the larger language 
preserves the essence of SCI; the readings of -* and A are exactly as in SCI. The 
reading of — > is one that is appropriate to IA. To sum up: 





pairs that may access a common portion of the store 


A-* B 


procedures that don't share store with arguments 


A->B 


procedures that may share store with arguments 



The resulting sense in which the aA-calculus allows detection of interference 
is that whenever we see a sequence ax Xy or Xx Xy we know that x and y don't 
interfere. So, non-interference can be inferred (in a fail-safe manner) from a simple 
inspection of a context. The one difference is that in Basic SCI this determination 
is context free. It is context sensitive in SCI+ because when we see ax ay or Xxay 
we don't know if x and y interfere or not. 

Let us revisit the Towers of Hanoi in light of this interpretation. The movemany 
procedure can now be typed without difficulty, because we have IA as a sublanguage. 
It is instructive, however, to look at the way the typing works, as it illustrates the 
way we can move between SCI-style and IA-style typing in SCI+. 

Using the rule for recursion we can type (with a little syntactic sugar) 

moveone : exp — > exp — > comm 
h rec movemany .akabc : exp 
if k > 0 then 

movemany (k — 1, a, c, b); 
moveone(a, b); 
movemany (k — 1, c, b, a) 
: exp — > exp — > exp — > exp — > comm 
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The critical point is that, during the typing of the body, we turn interference control 
off by using the bunch 

moveone : exp — ► exp — > comm 
; movemany : exp — > exp — > exp — ► exp — > comm 

which indicates that moveone and movemany might interfere. But more globally we 
can turn interference control back on and, for instance, run a call to the recursive 
procedure in parallel with another command, as long as that command doesn't 
interfere with moveone. 

moveone : exp — > exp — > comm , c : comm 
h ((rec movemany . •• -)7 1 2 3) || c : comm 



8.3 Passivity 

The language Basic SCI in Section 7.1 is in fact only a fragment of Syntactic Control 
of Interference, which includes typing rules for passivity [43, 45, 30]. A passive 
entity, such as a side-effect free expression, can safely be shared without causing 
interference, and a passive type is one whose elements arc all passive. Bunches are 
compatible with the approach to passivity in the SCIR type system from [30]; we 
briefly indicate how this is so. 

The SCIR type system uses judgements II | T h M : A, where the context is split 
into a passive zone II and an active zone T. The three critical rules of the system are 
the permeability rules of Activation and Passification, for moving identifier across 
the | separator, and Contraction in the passive zone. 

n | x : B,T h M:A U,x : B \T h M: A 

U,x:B\T^M:A PaBBif ( where A fa PaSSive) Ii\ x : B,T\- M: A ActW 

U,y: B,z : B | T h M : A 



U,y:B\ThM[y/z]:A 



Contr 



The zonal presentation does not work well with bunches, because we would want to 
be able to indicate that an identifier is passive without saying that a whole bunch 
is. 

The solution is to allow "marked assumptions" (x* : A) alongside "normal as- 
sumptions" (x : A). Then, with an extension of marking to contexts, the three rules 
are as follows: 

r(A) \- M:A / r(A*) \- M: A 

Passif (where A is passive) — Activ 



T(A*)hM:A K L ' r(A) \- M:A 

Contr (where A* = A'*) 



r(A* , A'* ) h M : A 



T(A) h M[i(A*)/i(A'*)} : A 

This gives us a limited form of Contraction for "," , in addition to the general Con- 
traction for ";" ■ These rules can all be interpreted using the bireflective subcategory 
structure found in Tennent's model [30, 15]. 

8.4 Remaining Limitations 

The language here uses call by name as its parameter passing mechanism. The 
extension of the approach to call by value does not appear to raise insuperable 
difficulties, but the typing rules required tend to become more complex when one 
wants to separate out the effects caused by evaluation to a value, from those that 
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are "latent" . Latent effects occur only later, when using the value; for example, in 
x := 1; (Ay. z :— 2) the assignment to z is latent. In call by name, all effects at 
higher order are latent. 

A more significant limitation is that it is not obvious how to incorporate higher- 
order store, where a reference may hold a procedure or another reference as its 
contents. This problem has been addressed using different methods, and with some 
success, by the effect systems of Gifford and Lucassen [23]. The types used in effect 
systems are, however, very detailed, and they seem more suitable to an intermediate 
language used in a compiler (where complexity can be hidden from the programmer) 
than in a source language, ft would be worthwhile to develop a more abstract form 
of control over higher-order references, along the lines of SCI. 

In a recent development, Walker and Morrisett have devised a fascinating system 
for interference control [50], which correctly handles higher-order store, and which is 
remarkably similar in structure to a program logic connected to Bl [42, 20]. Despite 
the structural similarity, the relationship of their work to bunched typing is not yet 
clear. 

9 A Model for SCI+ 

In this section we describe a semantics of SCI+. Our purpose in doing this is to 
back up the informal interpretation of types from Section 8.2. So we will concentrate 
on describing the structure of the model, and how it relates back to the informal 
description. 

9.1 Semantics of Types 

We are going to use an affine model similar to the one in Section 5.2. However, 
as explained in [34] , in order for new to satisfy naturality requirements of functor 
categories, it is necessary to allow for renaming of locations. Therefore, we use the 
category X of finite sets and injections as the category of worlds. Also, to interpret 
recursion we will use domains in place of sets in the target category. 

Let Predom denote the category of predomains (w-complete posets and con- 
tinuous maps). 

For A a finite set we define 

[coram] A = SX => SX ± 
[exp]A = SX => N± 
[cell] A = Aj_ 

Here, SX = X N is the set of states at world A, and N is the set of natural 
numbers. Variations are possible. For example, we could allow side effects in 
expressions, using SX => (N x SX)±, or we could make cells dependent on the 
store (this allowing conditional storage cells). 

The action of each primitive type on morphisms / in 2 is defined by renaming 
cells according to / and ignoring cells not in its range. The cases of exp and cell 
are simple: 

[exp]/es = e(/;s), 
[cell]/ = f ± . 
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In the case of comm, when / : X —* Y, 



4fcs 



( J_ ifc(/;s) = J_ 

s' if c(/; s) = s" and 

W eY. (£ = ft' implies s'(^) = s"(f )) and 
^ ^ range(f) implies s'(£) — s(^)). 



The functor category Predom x is cartesian closed, with finite products defined 
pointwisc. The additive function type can be defined as follows. 

(A-»B)(Jf) = Predom x [A(X + -), Bpf + -)]. 

This accurately reflects the informal reading, in that the presence of X in the 
argument type A(X + -) indicates how a function p e (A — > £>)X may share access 
to X with its argument. 

This is not the standard representation of the exponent in a functor category. We 
are relying on the fact that any / : X — > Z factors into a left injection i : X — > X+Y 
followed by an isomorphism j : X + Y — > Z. Such a factorization is used to define 
the morphism part of A -> B. If p e (A -> S)X then (A -» e (A -» B)Z is 

defined y the formula 

(A->B)/pWa - B^ipW'iAj^a)) 

where i : X X + W' , j : X + W' — > W is an injection/isomorphism factorization 
..:/:/:.\ • U. 

In this description of the function type the horn sets Predom x [ J 4, B] are consid- 
ered to be ordered pointwise. Also, + is the evident functor on J given by disjoint 
union of finite sets. 

The multiplicative function type once again expresses disjointness of a function 
from its argument: 

(A^B)X = Predom :r [ J 4,B(X + -)]. 

To see how the semantics is working, consider the type cell^ cell^ comm. 
Semantically, an element p e [cell-* cell -* comm]{} accepts 

two worlds Y and Z, 
cells c eYj_ and e e Zj_ 

and produces (using {} + Y + Z = Y + Z) 

p[Y]c[Z}e : S(Y + Z) => S(Y + Z) ± . 

It is evident from this that the arguments c and e cannot be aliases, as they live in 
disjoint portions of the store at world Y + Z. 

To treat recursion in this model we must effect a transformation 

p[X] : I£|X x [0}X — > \G\X 
rec(p) : \V\X — > [0\X . 

Here, we uncurry p to obtain a map of type {T]X — > ([^1^ — > [0]A) and then 
compose on the right with the least fixed-point operator for pointed domains. 

For this interpretation to exist we must have that each fOjX is pointed. And for 
it to be natural we require that each morphism part [0]/ preserves least elements 
[36]. These properties are satisfied by all the types in SCI+, and are part of the 
identification of a subcategory of Predom 1 in the following section. 
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9.2 Bunches, Environments and Non-interference 

We now give a precise treatment of bunches. Our intention in doing this is to show 
one example where the syntactic ambiguity resulting from the rule for coherent 
equivalence 

= (where A = T) 
A I- M : A y ' 

is dealt with by requiring that equivalent bunches be semantically equal. 

The presentation in this section will be more technical than the others, but it is 
mainly a pulling together of known results [36, 29]. Some readers may wish to skip 
forward to Section 9.3, where some of the most important valuations are presented 
in in a way that doesn't depend on the details of this section. 

We work in a full subcategory of Predom 1 , the category whose objects A have 
the following two properties: 

1. each AX has a least element, and each Af : AX — > AY preserves least 
elements, and 

2. A preserves pullbacks. 

The strictness part of the first condition is needed for naturality of the fixed-point 
operator, and the second condition enables a simplified description of environments. 
It is straightforward to verify that the meanings of primitive types satisfy these 
conditions. We call this category M. 

Pullbacks in 1 are like those in the category of sets. In particular, 

X 



Ynz 

is a pullback square, where the unlabeled arrows are inclusion functions. Because 
of this, for pullback-preserving functors there is always a smallest world that any 
a e AX comes from: 



we say that a comes from Y C X iff 3a 1 e A(support(a)) . a = A{support{a) <—> 
X)a' , and 

we refer to the smallest world that a comes from as the support of a, written 
support(a). 



The notion of support docs not work for arbitrary functors, as there need not be 
a unique smallest world that a comes from. But the existence of such worlds, as 
guaranteed by pullback preservation, seems intuitively reasonable if we want to 
consider support as the set of locations that a computational entity depends on. 

Given this notion of support, we can define non-interference. If a e AX and 
b e BX, then 

• a#6 support(a) n support(b) = {}. 

Using this notion of non-interference we can finally describe the tensor product * 
of functors: 

(A*B)X = {(a,b) e AX x BX \a#b}, 

(A*B)f(a,b) = (Afa,Bfb). 

For this definition to work correctly, it is important that (A * B)f preserves non- 
interference and that (A * B)X is w-complete; see [29]. 
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Proposition 20 M is an affine doubly closed category. That is, 1,A, — » is carte- 
sian closed structure and 1,*, -* monoidal closed structure. 

This gives us all the structure we need to interpret the affine aA-calculus, where 
we interpret a bunch by mapping to * and to A. However, a more concrete 
semantics of bunches is useful. For this, we first define 

T h x#y x and y have a "," as a common ancestor node in T. 

Bunches are then interpreted by relating the syntactic # to the semantic one: 

[TjW = {u e J] T(x) | T h x#y ux#uy) 

xeiT 

where we are writing T(x) for the type of x in V. This representation of environ- 
ments allows us to ignore coherent equivalence, while still maintaining a relationship 
between "," and * and between ";" and A. 

Proposition 21 IfT = A then [r] = [A]. Further, we have the following isomor- 
phisms: 

[r,A] = [r]*[A] [T; A] = [r] A [A] 

The point of this concrete interpretation of bunches is that it makes clear that the 
use of the rule for = in aA-calculus is not in any way problematic. 

9.3 Selected Valuations 

We will make use of a multi-map characterization of maps out of A * B, which 
enables a simple description of most of the maps in the semantics. To repeat the 
point made for the basic disjointness model, since we expect to have an isomorphism 
Predom x L4 * B,C] = Predom x L4, B -* C], we must obtain the following, no 
matter what * is. 

Maps p : A* B — > C out of a tensor are in bisection with families of 
functions 

p[X][Y] :AXx BY — ► C(X + Y) , 
natural in X and Y . 

Because of this characterization, we will expect maps out of a context T, A to 
be in bijection with families of maps where we use one world for A and another for 
r. Based on this assumption, we now give the semantics of several terms. 

We begin with ||. First, we define a state transformation c || c', when c and c' 
are commands referring to disjoint store: 

c : S(X) — ► S(X) ± d : S(Y) — ► S(Y) ± 
c\\d= \[s,s'] : S(X + Y).[cs,c's'} : S(X + Y) —> S(X + Y) ± 

where [•, •] : S(X + Y) — > S{X) x S(Y) is the evident isomorphism and [cs, d s'\ is _L 
if either cs or c's' is. Then we can interpret the term-formation rule for || as follows. 

p[X] : fT]X — > [comm]I q[Y] : {T}Y — > [comm]r 
AX.AY.X(u,v).p[X]u || q[Y]v : {TjX x [A]F — > [comm](I + Y). 

Here, we have used polymorphic A-calculus notation to talk about families of maps 
in what should be a clear way [33] . 
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This semantics makes obvious that different components of || act on disjoint 
portions of the store, fn contrast, the rule for sequential composition uses the same 
context T for both commands, and so we use the transformation 

p[X] : [T]X — ► [comrn]! q[X] : [r]X — > [comm]! 
AX. Am. (p[X]u); (q[X]u) : [T]X — ► [comm]I 

where ";" is composition of partial functions. The common use of X by p and q 
makes clear that they access the same portion of store. 

For new declarations we again appeal to disjointness, where the declared cell is 
disjoint from the store in use when a declaration begins execution. The semantic 
transformation is 

p[X][Y] : [TjX x [celljY — ► [coram] A + Y 
AX. \u. As. f(p[X] [{*}] * (s | * ^ 0)) : [f]A — ► [comm]I. 

where / : S(X + {*})-L — > S(X)j_ forgets the {*} component. 

Finally, for A-abstraction a A-bound variable abstracts over meanings defined in 
world that is separate from the world for other free identifiers. 

p[X][Y]:$r}XxlO]Y-+l0]X + Y 
\u.AY.\x e [0\Y. p[X}[Y}{u,x) : {TjX — ► [0 -* 6'jX. 

Thus, in Ax. M the identifier x does not share storage with any other identifier free 
in M. 

The semantic model described in this section accomplishes two things. First, 
and foremost, we claim that it achives our basic aim, of substantiating the informal 
sharing reading. 

Second, it shows that 

Proposition 22 SCI+ has IA and SCI as semantic sublanguages. 
To be precise, what this means is 

1. the model obtained from the translation (•)* from Proposition 19 is a standard 
functor-category model of IA [34] . 

2. the semantics of the SCI fragment of SCI+ is the semantics of SCI given in 
[29] (ignoring passivity), 

The only real differences in the various interpretations are the rules in SCI or IA that 
were left out of SCI+, but which were shown to be derivable. The most important 
case is new: the reason it does not present a difficulty is that, even in IA, a locally 
declared cell doesn't interfere with any other identifiers free in its defining block. 
This is why the use of in the SCI+ rule for new is semantically sufficient to 
capture IA's new. 

10 Jumps 

Jumps cause a problem broadly similar to the one with recursion in SCI. In this 
section we indicate how this problem can be overcome using aX. 

To see the difficulty, consider a block escape x in M. This declares a new label 
which, when jumped to from within M, results in a transfer of control to the end 
of the block. From the point of view of continuation semantics, it binds x to the 
current continuation, which is a function from states to final answers that describes 
computation that will take place after the block is finished. This means that, if the 
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computation associated with the current continuation changes any storage cell then 
x will interfere with that cell. So, in (escape x in M); z := 4 the identifiers z and 
x interfere, if z occurs within M. 

Thus, from the point of view of continuation semantics, the escape statement 
violates the requirement that distinct identifiers never interfere (unless we put rather 
draconian conditions on identifiers appearing in or following an escape block) . One 
might attempt to use a different form of semantics to define a different notion of 
interference for labels. It will be simpler just to allow this interference, by arranging 
the typing rule so that x is set additively apart from other identifiers. 

Following [36], we add a primitive type compl for completions (labels) and 
remove comm. We now regard comm as syntactic sugar for compl — ► compl. 
The semantics of the type of completions is given using a fixed domain A of answers. 

[compl] X = SX => A 

[compl]/ ks = k(f;s) 

With this semantics, the language with the completion type has the same sense 
of non-interference as SCI+: the semantics of -* ensures that whenever we see 
a sequence ax ay or ax Xy we know that x and y access different portions of the 
store. 

The central syntactic rules are 

T;x: compl h M : comm T h M : compl 

r h escape x in M : comm T h goto M : comm 

where the use of ";" in the rule for escape allows for the interference between x 
and identifiers in T. These can be given a standard continuation semantics, exactly 
as was done by Oles [36]. For escape, we effect a transformation 

[T; x : compl] — ► [comm] 
[r] -A [comm] 
accomplished by binding x to the current continuation: 
f'[X]uX'ks = f[X + X'](u' \x^ k)ks 

where 

u e irjx, 

k e [compl] (X + X 1 ), 

i : X — > X + X' is the left injection, 

u> = irjiu, 

s e S{X + X'). 

Here, the extra parameter X' is occurring because comm = compl — > compl is a 
procedure type, and we are using the representation of — > given in the last section. 

goto is given by a map g : [compl] — ► ([compl] — > [compl]) from comple- 
tions to commands, which ignores the current continuation: 

g[X]k[X']k' = [compl] ik 
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where i : X — > X + X' is again the left injection. 

Finally, to illustrate the effect of interference constraints we define the parallel 
composition of completions. 

r h M : compl A h N : compl 
r, A h M || N : compl 

Its semantics is given by a map par : [compl] * [compl] — > [compl] and is defined 
similarly to the parallel composition of commands. For this, we refer again to the 
multi-map characterization of maps out of *, and define 

par[X][X']{k,k')[s,s'} = (ks-k's 1 ) 

where (— • -) : A x A — > A is a function that puts together two final answers. 

For concreteness, we take A to be the two-point cpo {t}± and ( ) to be meet. 

Here, we regard an answer t as indicating termination. We admit that this use of a 
function on answers is ad hoc. It does, however, enable us to show a sense in which 
completions typed in contexts separated by "," do not interfere. 

We have not included parallel composition for commands, because the right way 
to do so is not obvious. For, one of the commands in M \\ N might jump out, and 
ignore the current continuation. (It might be possible to use bunches to control the 
range of continuations; that, however, is beyond the scope of this paper.) 

11 Conclusion 

The aA-calculus and BI offer a new perspective on how control over structural 
rules translates into control over access to resources in a computer system. As 
we have suggested here, the main point is the emphasis on sharing, supported by 
a spatial view of possible world semantics which has developed over a number of 
years [44, 27, 30, 33]. 

We began the paper by recounting an analogy between syntactic control of 
interference and linear logic, where both systems limit the use of Contraction. This 
was followed by recalling a dilemma: Although there is a formal similarity, there 
is also an important conceptual difference; control of Contraction in SCI is about 
sharing, while in LL it is primarily about duplication. 

Now the reader might feel that we are splitting hairs here, as at first sight 
duplication versus sharing may appear to be a case of six of one versus a half dozen 
of the other. But the distinction is crucial in computer science. The number-of- 
uses explanation of linear logic calls to mind the notion of temporary resources in 
Operating Systems [8] , the canonical example of which is a message produced by one 
process and consumed by another. The analogy with temporary resources is clear in 
several formal interpretations of linear logic, including the original coherence space 
model [16] and a concurrency reading [1]. In contrast, the sharing interpretation 
of aA concerns what is often labelled a permanent resource. Here, permanent does 
not literally mean permanent, but potentially long lived; examples include files, 
external devices, or portions of the store. For this kind of resource it is sharing, 
rather than consumption, that is the prime concern. 

The results of this paper give one answer to the question of whether the con- 
ceptual difference between sharing and duplication should lead to different formal 
structure. We described a new calculus, the aA-calculus, which we showed differs 
from linear A-calculi in several significant respects. And for each difference between 
the systems we were able to offer an explanation of aA's stance by appeal to a 
sharing interpretation, where linear logic's stance can be understood in terms of a 
number of uses reading. Because different formal systems fit each of these readings 
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wc claim that the differences are genuinely structural, and run deeper than merely 
having separate models of the same system. 

Finally, it is worth mentioning a related resource perspective on BI, which does 
not mention A-terms. Here we speak of the resources a function has access to 
which, when we erase A-terms, corresponds to talking about proofs. A similar in- 
terpretation can be given on a purely logical level, where one views -* and — » 
as implications, and where the semantics is phrased in terms of truth conditions; 
proofs are not mentioned. This semantics of BI [31, 38], which was first advanced 
by Pym in 1997, is similar to the functional interpretation we derived from SCI, 
but genuinely different because of its declarative character: a number of interesting 
models have been described that make good sense from a truth-based perspective, 
but that have much less immediate type-theoretic significance [20, 25, 11, 10]. In- 
cidentally, several of these models do not admit Weakening, and so correspond the 
the basic system of Section 3.1 rather than the affine variant used in the application 
to SCI. 
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